Security Incidents: Re: Lots of rpc.statd probes lately

[Steve Stearns <sterno () BIGBROTHER NET>]

Frank Louwers wrote:

> The last 2 weeks, I've seen a HUGE increase in rpc.statd probes.
> Any new exploits around?
>
> Frank
The system I run is a relatively low profile system (linux box hooked up
to a DSL line with just my low traffic website on it).  So, my
assumption is that almost all of the rpc probes I see are from
sequential searches of IP addresses.  Since February 12th I have seen 73
unique rpc probes on my system making for an average of just over 4
probes a day (and it seems like it's been increasing lately).  Not a lot
in the grand scheme of things, but considering that this is almost all
from sequential scanning, it seems like a whole lot to me.

By contrast, a few months ago I was maybe getting 3 probes a week (and
that's all kinds of probes, not just RPC).  So I've seen at least an
order of magnitude increase (using my relatively unscientific
measurements).  I think that the big increases aren't so much attributed
to new exploits, but rather that as vulnerable boxes are exploited, they
increase the number of overall scans resulting in more exploits, wash,
rinse, repeat.  On the bright side, eventually all the boxes that can be
exploited will be exploited and the number of scans should begin
tapering off as some of the compromised boxes are fixed.

---Steve