[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

portmap exploit?

I've noticed a strange established TCP connection (from unknown
host) to portmaper which lasts for hours, but apparently there
is no traffic. My portmapper is tcp-wrapped, so the connection
should be rejected. I can see the following:

# netstat -t
tcp        0      0 MYHOST:sunrpc     ESTABLISHED

# lsof
portmap     158     root    5u  IPv4     110899           TCP MYHOST:sunrpc-> (ESTABLISHED)

# nmap -P0 -O
Warning:  No TCP ports found open on this machine,
OS detection will be MUCH less reliable
All 1523 scanned ports on  ( are: filtered
Too many fingerprints match this host for me to give an accurate OS guess
Nmap run completed -- 1 IP address (1 host up) scanned in 212 seconds

# tcpdump -n -i eth0 dst port 111 and not src net MYNET
shows no traffic.

Also, ippl doesn't log anything. Can anybody enlighten me what's up?

-Igor Mozetic

Reply to: