Security Incidents: Re: Strange RPC? service entries.

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Strange RPC? service entries.

From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Mon, 13 Mar 2000 10:24:05 +0100


On Thu, 9 Mar 2000, Tony Molloy wrote:

Recently I've lots of messages like the following appearing in
several of my server logs. Several megabytes a day each.

Mar  8 18:57:33 server portmap[24722]: connect from xxx.xxx.xxx.xxx
to callit(300214): request from unauthorized host
Mar  9 07:59:44 server portmap[14761]: connect from xxx.xxx.xxx.xxx
to callit(390109): request from unauthorized host


AFAIK, 390109 is "nsrstat" where "nsr" stands for Legato Networker (also
known as Solstice Backup). I know nothing certain 300214. A fuzzy
reference I found in one of FreeBSD lists suggests this service might be
related to FrameMaker. There should be a registry of these numbers
maintained by Sun but I do not know how one could access it (besides
the tiny portion in /etc/rpc).

BTW: From what I have seen, various people have been complaining about
these probes for a year. I smell a problem.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

By Date By Thread

Current thread:

Re: UDP flood 28001-28003 Rainer Weikusat (Mar 08)
- <Possible follow-ups>
- Re: UDP flood 28001-28003 Andrew Badr (Mar 08)
  - Strange RPC? service entries. Tony Molloy (Mar 09)
    - Re: Strange RPC? service entries. Pavel Kankovsky (Mar 13)
  - Re: UDP flood 28001-28003 Ian A (Mar 09)
  - Re: UDP flood 28001-28003 George (Mar 09)
  - 12th Annual FIRST conference Elias Levy (Mar 11)
  - odd icmp broadcast scan Jon Lewis (Mar 12)