portmap exploit?

To: debian-security@lists.debian.org
Subject: portmap exploit?
From: Igor Mozetic <igor.mozetic@uni-mb.si>
Date: Fri, 11 May 2001 18:36:44 +0200
Message-id: <15100.5404.245760.634730@cmb1-3.dial-up.arnes.si>

I've noticed a strange established TCP connection (from unknown
host) to portmaper which lasts for hours, but apparently there
is no traffic. My portmapper is tcp-wrapped, so the connection
should be rejected. I can see the following:

# netstat -t
tcp        0      0 MYHOST:sunrpc 211.250.216.195:691     ESTABLISHED

# lsof
portmap     158     root    5u  IPv4     110899           TCP MYHOST:sunrpc->211.250.216.195:691 (ESTABLISHED)

# nmap -P0 -O 211.250.216.195
Warning:  No TCP ports found open on this machine,
OS detection will be MUCH less reliable
All 1523 scanned ports on  (211.250.216.195) are: filtered
Too many fingerprints match this host for me to give an accurate OS guess
Nmap run completed -- 1 IP address (1 host up) scanned in 212 seconds

# tcpdump -n -i eth0 dst port 111 and not src net MYNET
shows no traffic.

Also, ippl doesn't log anything. Can anybody enlighten me what's up?

-Igor Mozetic

Reply to:

Prev by Date: Re: iptables LOG target problem with syslog
Next by Date: Re: VNC
Previous by thread: Re: iptables LOG target problem with syslog
Next by thread: Unable to gain access to secure sites.
Index(es):
- Date
- Thread