Security Incidents: Netware doing rouge portmap requests?

[robinton () gmx de (Soeren Ziehe)]

Hello,

I've got a report that one maschine is doing portmap requests it  
shouldn't do.
It's a Netware 4.11 server, which has a novell unix gateway suite  
installed.

-- sanitized log excerpt from "victim" ---

Jan 21 00:16:10 some-host portmap[15440]: connect from xxx.xxx.xxx.xxx  
to callit(300055): request from unauthorized host
Jan 21 00:17:14 some-host portmap[15501]: connect from xxx.xxx.xxx.xxx  
to callit(300055): request from unauthorized host
Jan 21 00:18:18 some-host portmap[15566]: connect from xxx.xxx.xxx.xxx  
to callit(300055): request from unauthorized host

There's about one request per minute and it apparently has been going on  
for weeks.

There's nothing in the configuration, that I'm aware of, that would  
cause the requests to this particular maschine.
Is anything out there that I should know? That is is there a known way  
to hijack said novell unix gateway?

Robinton

P.S.: no packet dumps available at the moment, will try to get them ASAP

-- 
I've asked for kindness and ultimate truth. Still waiting for the answer.
-- 
Und das, Wesley, ist eine Luftschleuseeeeeeeeeeeeeeeeeeeeeeeee...

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com