Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
RE: [suse-security] scans to port 111
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Thu, 12 Jul 2001 17:50:39 +0200 (MEST)
  • Message-id: <XFMail.010712175039.bolo@xxxxxxx>

On 12-Jul-01 OKDesign oHG Security Webmaster wrote:
> Hi folks,
>
> our servers keep logging system-scans on port 111 for some months now.
> Obviously some people try to find systems accepting connections on port 111
> (sunrpc).
> Besides of the traffix generated by this (okay, one scan means very little
> traffic, but up to 10 scans per day, and this every day on every IP we
> accept sums up to enough traffic to be concerned) and besides of the fact
> that our servers are no playground for script-kiddies *sigh*, my question
> is: Do I have to be alarmed ? And what can I do against it ? I already run
> portsentry, but our /etc/hosts.deny keeps growing day by day.
> Whats up with this port 111 ?

rpc scans to port 111 are very popular these days in the black hat scene.
Several exploits and vuln.-scanners are floating around, targetting these ports
as in most cases, when a vulnerable service has been found, hijacking such
systems would be kids play. At least this is the case with NFS or other terribly
insecure network services, which should never ever be offered via internet.

> I know the normal pubscans and proxy-scans, but these are done on port 20,21
> and 1080, not on 111...
> I'm a little confused now, because these scans grow. It began with 2-5 scans
> per week and now we log (as I already said) up to 10 scans per day.
> Can someone please explain what's going on there and if there is a way to
> stop it ?

If your firewall keeps denying these connection attempts, and if you don't use
any remote procedure services (like NFS) on your host(s), your problem seems to
be the growing sizes of your logs. If you do not offer rpc services it seems to
be valid to switch off logging of these scans/connection attempts. However,
certain attacks of other services start with someone noseing around on other,
probably insecure services, like sunrpc. Switching off logging of these scans
would decrease your efficiency of forensic data analysis, should anything
serious happen to your host(s). That's why you should visit sites like
www.securityfocus.com and look for digestifying/rotating tools for your firewall
logs in order to keep them useable.

There are numerous vulnerabilities in rpc services and demons, such as
snmpXmid, rpc.statd and wu-ftpd, buffer overflows in various services, and so
on. Look at Cert's collection of the current cracker/kiddie activity on
http://www.cert.org/current/current_activity.html#scans . And keep your system
free of rpc.

> Thanks in advance.
>
> ---
[...]

---
Boris Lorenz <bolo@xxxxxxx>
System Security Admin *nix - *nux
---

< Previous Next >
Follow Ups