Re: [Q] what do these portmap log entries mean?

To: debian-user@lists.debian.org
Subject: Re: [Q] what do these portmap log entries mean?
From: "Jonathan D. Proulx" <jon@ai.mit.edu>
Date: Thu, 24 Aug 2000 00:10:04 -0400
Message-id: <20000824001004.E29352@spoon.ai.mit.edu>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <878ztn5neu.fsf@epkowa.co.jp>; from olaf@epkowa.co.jp on Thu, Aug 24, 2000 at 12:49:13PM +0900
References: <878ztn5neu.fsf@epkowa.co.jp>

Your example shows local IP addresses for the refused hosts, if this
is the case it is possibly just network noise.

Paranoid rant follows:

The (unfortunately) more likely case is that you are being scanned for
the latest statd vulnerability. If you have the latest nfs-common
package you are safe (you should also have a kernel version of 2.2.16
minimum). I lost 50+ machines to this about a week ago (they were all
shutdown before mr. skriptkiddie came back, but the break-in went
through 6 class c subnets in about 3min setting up back doors)

My particular instance setup root shells listening on port 199,
entered in /etc/inetd.conf so you might want to look there and see if
there's a suspicious "smux" line. This is what was done once they got
root, not the vulnerability, so lack of this line may simply indicate
a different use of it.

If you have a new kernel an nfs-common Version: 1:0.1.9.1-1, no
worries, you can just laugh the scan off (if that's what it was)

On Thu, Aug 24, 2000 at 12:49:13PM +0900, Olaf Meeuwissen wrote:
:Dear all,
:
:I've been seeing entries like below in my logs for a while.
:
: Aug 24 12:38:01 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
: Aug 24 12:38:04 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
:
:and
:
: Aug 24 12:43:34 bilbo portmap[27659]: connect from 172.16.a.b to getport(300598): request from unauthorized host
:
:I've implemented a default deny-all policy in /etc/hosts.deny with
:
: ALL : ALL
:
:My /etc/hosts.allow effectively reads
:
: nmbd smbd : 172.16.
:
:>From the log messages I assume that the portmap connect attempts fail
:(as per policy), but what do these connect attempts mean? Is someone
:trying to crack my server or something? I did challenge our network
:admin ...
:--
:Olaf Meeuwissen Epson Kowa Corporation, Research and Development
:
:
:--
:Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null

Reply to:

Follow-Ups:
- Re: [Q] what do these portmap log entries mean?
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>

References:
- [Q] what do these portmap log entries mean?
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>

Prev by Date: RE: You are a Linux Guru!
Next by Date: RE: Latop to Desktop ethernet
Previous by thread: [Q] what do these portmap log entries mean?
Next by thread: Re: [Q] what do these portmap log entries mean?
Index(es):
- Date
- Thread