scans to port 111
Hi folks, our servers keep logging system-scans on port 111 for some months now. Obviously some people try to find systems accepting connections on port 111 (sunrpc). Besides of the traffix generated by this (okay, one scan means very little traffic, but up to 10 scans per day, and this every day on every IP we accept sums up to enough traffic to be concerned) and besides of the fact that our servers are no playground for script-kiddies *sigh*, my question is: Do I have to be alarmed ? And what can I do against it ? I already run portsentry, but our /etc/hosts.deny keeps growing day by day. Whats up with this port 111 ? I know the normal pubscans and proxy-scans, but these are done on port 20,21 and 1080, not on 111... I'm a little confused now, because these scans grow. It began with 2-5 scans per week and now we log (as I already said) up to 10 scans per day. Can someone please explain what's going on there and if there is a way to stop it ? Thanks in advance. --- -------------------------------------------- Stephan M. Ott // OKDesign oHG ............. Internet-Providing und Netzwerkmanagement .. smo@okdesign.de ..... http://www.okdesign.de fon. +49 961 3814139 .. fax. +49 961 3814140 in dringenden faellen: mobil. 0171-7858064 . --------------------------------------------
On 12-Jul-01 OKDesign oHG Security Webmaster wrote:
Hi folks,
our servers keep logging system-scans on port 111 for some months now. Obviously some people try to find systems accepting connections on port 111 (sunrpc). Besides of the traffix generated by this (okay, one scan means very little traffic, but up to 10 scans per day, and this every day on every IP we accept sums up to enough traffic to be concerned) and besides of the fact that our servers are no playground for script-kiddies *sigh*, my question is: Do I have to be alarmed ? And what can I do against it ? I already run portsentry, but our /etc/hosts.deny keeps growing day by day. Whats up with this port 111 ?
rpc scans to port 111 are very popular these days in the black hat scene. Several exploits and vuln.-scanners are floating around, targetting these ports as in most cases, when a vulnerable service has been found, hijacking such systems would be kids play. At least this is the case with NFS or other terribly insecure network services, which should never ever be offered via internet.
I know the normal pubscans and proxy-scans, but these are done on port 20,21 and 1080, not on 111... I'm a little confused now, because these scans grow. It began with 2-5 scans per week and now we log (as I already said) up to 10 scans per day. Can someone please explain what's going on there and if there is a way to stop it ?
If your firewall keeps denying these connection attempts, and if you don't use any remote procedure services (like NFS) on your host(s), your problem seems to be the growing sizes of your logs. If you do not offer rpc services it seems to be valid to switch off logging of these scans/connection attempts. However, certain attacks of other services start with someone noseing around on other, probably insecure services, like sunrpc. Switching off logging of these scans would decrease your efficiency of forensic data analysis, should anything serious happen to your host(s). That's why you should visit sites like www.securityfocus.com and look for digestifying/rotating tools for your firewall logs in order to keep them useable. There are numerous vulnerabilities in rpc services and demons, such as snmpXmid, rpc.statd and wu-ftpd, buffer overflows in various services, and so on. Look at Cert's collection of the current cracker/kiddie activity on http://www.cert.org/current/current_activity.html#scans . And keep your system free of rpc.
Thanks in advance.
--- [...]
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---
I know the normal pubscans and proxy-scans, but these are done on port 20,21 and 1080, not on 111... I'm a little confused now, because these scans grow. It began with 2-5 scans per week and now we log (as I already said) up to 10 scans per day. Can someone please explain what's going on there and if there is a way to stop it ?
If your firewall keeps denying these connection attempts, and if you don't use any remote procedure services (like NFS) on your host(s), your problem seems to be the growing sizes of your logs. If you do not offer rpc services it seems to be valid to switch off logging of these scans/connection attempts.
...or you could add those files to SuSE's log rotation file and let it rotate the logs for you. Jeremy Buchmann [jeremy@wellsgaming.com]
participants (3)
-
Boris Lorenz -
Jeremy Buchmann -
OKDesign oHG Security Webmaster