[Snort-users] Help! RPC Port 111
erek at ...577...
Thu Sep 27 18:36:02 EDT 2001
On Thu, 27 Sep 2001, T.Ferris wrote:
> I am running Snort IDS on Mandrake 8.0. I just received this alert below.
> [**] [1:583:1] RPC portmap request rstatd [**]
> [Classification: Attempted Information Leak] [Priority: 3]
> 09/27-05:51:47.239050 216.56.21.X873 -> 192.168.1.100:111
> UDP TTL:47 TOS:0x0 ID:44461 IpLen:20 DgmLen:84
> Len: 64
> [Xref => http://www.whitehats.com/info/IDS10]
> [**] [1:1282:1] RPC EXPLOIT statdx [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
> 09/27-05:51:47.414408 216.56.21.X:874 -> 192.168.1.100:1024
> UDP TTL:47 TOS:0x0 ID:44578 IpLen:20 DgmLen:1104
> Len: 1084
> [Xref => http://www.whitehats.com/info/IDS442]
> I dont even know if he got root on my box or not. How can I close RPC Port
[Note, I don't know linux, so this is a bit vauge...]
Turn off all RPC based services in /etc/inetd.conf. Turn off any startup
scripts in /etc/rc?.d/ that call portmapper. If you're not running NFS you
don't need statd or lockd.
More information about the Snort-users