[Snort-users] Help! RPC Port 111

Erek Adams erek at ...577...
Thu Sep 27 18:36:02 EDT 2001


On Thu, 27 Sep 2001, T.Ferris wrote:

> Ok,
>
> I am running Snort IDS on Mandrake 8.0.  I just received this alert below.
>
>
> [**] [1:583:1] RPC portmap request rstatd [**]
> [Classification: Attempted Information Leak] [Priority: 3]
> 09/27-05:51:47.239050 216.56.21.X873 -> 192.168.1.100:111
> UDP TTL:47 TOS:0x0 ID:44461 IpLen:20 DgmLen:84
> Len: 64
> [Xref => http://www.whitehats.com/info/IDS10]
>
> [**] [1:1282:1] RPC EXPLOIT statdx [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
> 09/27-05:51:47.414408 216.56.21.X:874 -> 192.168.1.100:1024
> UDP TTL:47 TOS:0x0 ID:44578 IpLen:20 DgmLen:1104
> Len: 1084
> [Xref => http://www.whitehats.com/info/IDS442]
>
> I dont even know if he got root on my box or not.  How can I close RPC Port
> 111?

[Note, I don't know linux, so this is a bit vauge...]

Turn off all RPC based services in /etc/inetd.conf.  Turn off any startup
scripts in /etc/rc?.d/ that call portmapper.  If you're not running NFS you
don't need statd or lockd.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list