portmap exploit?
I've noticed a strange established TCP connection (from unknown
host) to portmaper which lasts for hours, but apparently there
is no traffic. My portmapper is tcp-wrapped, so the connection
should be rejected. I can see the following:
# netstat -t
tcp 0 0 MYHOST:sunrpc 211.250.216.195:691 ESTABLISHED
# lsof
portmap 158 root 5u IPv4 110899 TCP MYHOST:sunrpc->211.250.216.195:691 (ESTABLISHED)
# nmap -P0 -O 211.250.216.195
Warning: No TCP ports found open on this machine,
OS detection will be MUCH less reliable
All 1523 scanned ports on (211.250.216.195) are: filtered
Too many fingerprints match this host for me to give an accurate OS guess
Nmap run completed -- 1 IP address (1 host up) scanned in 212 seconds
# tcpdump -n -i eth0 dst port 111 and not src net MYNET
shows no traffic.
Also, ippl doesn't log anything. Can anybody enlighten me what's up?
-Igor Mozetic
Reply to: