Re: rpc.statd

["skop d'skop" <skop () visto com>]

Thanks David,
But what I wonder this pattern.
May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP

First it looks for SYN ( which is TCP Flag) then it looks for UDP Protocol. For UDP, the source port is below < 1024.

Plus is there anything abt source port < 1024 ( isn't that abnormal ?) scanning to some destination to destination port 
< 1024 (normal) 


Thanks
-skop

-----Original Message-----
From:    LEFEVRE David David.LEFEVRE () cardif fr
Sent:    Wed, 06 Jun 2001 09:44:42 +0200
To:      skop () visto com
CC:      snort-users () lists sourceforge net
Subject: Re: [Snort-users] rpc.statd


You should look for Cybercop or Nessus Security scanning tool.
I use it to improve security of my net, it runs well. It also has a
"nmap plugin".

For an exemple :
Vulnerability found on port unknown (669/tcp)

The remote statd service could be brought down
with a format string attack - it now needs to
be restarted manually.

This means that an attacker may execute arbitrary
code thanks to a bug in this daemon.

Solution : upgrade to the latest version of rpc.statd
Risk factor : High
see CVE : CVE-2000-0666 (http://cgi.nessus.org/cve.php3?cve=CVE-2000-0666)

Best regards,
David

skop d'skop wrote:

> hi guys,
> come across this alert lately for my network
>
> [**] IDS10 - RPC - portmap-request-rstatd [**]
>
> May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
> May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP
> May 20 11:25:15 A.B.C.80:3351 -> X.Y.Z.12:111 SYN ******S*
> May 20 11:25:15 A.B.C.80:3352 -> X.Y.Z.13:111 SYN ******S*
>
> and i'm wondering what kind of scanning / tool that trigger this alert.
>
> i 've done with #rpcinfo -p hostname and #nmap -sU -sR  hostname , yet no similiar output.
>
> -skop
> ___________________________________________________________________________
> Visit http://www.visto.com/info, your free web-based communications center.
> Visto.com. Life on the Dot.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
David LEFEVRE
CARDIF - Architecture et Sécurité Opérationnelle
david.lefevre () cardif fr - Tél : 01 41 42 76 63




___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users