Re: [Q] what do these portmap log entries mean?

To: "Jonathan D. Proulx" <jon@ai.mit.edu>
Cc: debian-user@lists.debian.org
Subject: Re: [Q] what do these portmap log entries mean?
From: Olaf Meeuwissen <olaf@epkowa.co.jp>
Date: 24 Aug 2000 13:53:40 +0900
Message-id: <87vgwr45uz.fsf@epkowa.co.jp>
In-reply-to: "Jonathan D. Proulx"'s message of "Thu, 24 Aug 2000 00:10:04 -0400"
References: <878ztn5neu.fsf@epkowa.co.jp> <20000824001004.E29352@spoon.ai.mit.edu>

Thanks for the quick reply!

"Jonathan D. Proulx" <jon@ai.mit.edu> writes:

> Your example shows local IP addresses for the refused hosts, if this
> is the case it is possibly just network noise.
> 
> Paranoid rant follows:
> 
> The (unfortunately) more likely case is that you are being scanned for
> the latest statd vulnerability.  If you have the latest nfs-common
> package you are safe (you should also have a kernel version of 2.2.16
> minimum).  I lost 50+ machines to this about a week ago (they were all
> shutdown before mr. skriptkiddie came back, but the break-in went
> through 6 class c subnets in about 3min setting up back doors)

I don't have NFS packages installed, running 2.2.17 generic kernel.  I
installed potato afresh right after it became stable from a local
mirror and made sure all md5sums were OK (before installing from a
freshly downloaded Packages file).  Haven't installed much: base
tarball, tob/afio/cron/exim, samba and apache.  Even purged telnet,
ftp, ppp, pppconfig, pump and pcmcia-cs.

> My particular instance setup root shells listening on port 199,
> entered in /etc/inetd.conf so you might want to look there and see if
> there's a suspicious "smux" line.  This is what was done once they got
> root, not the vulnerability, so lack of this line may simply indicate
> a different use of it.

No smux in there.

> If you have a new kernel an nfs-common Version: 1:0.1.9.1-1, no
> worries, you can just laugh the scan off (if that's what it was)
> 
> 
> On Thu, Aug 24, 2000 at 12:49:13PM +0900, Olaf Meeuwissen wrote:
> :Dear all,
> :
> :I've been seeing entries like below in my logs for a while.
> :
> :  Aug 24 12:38:01 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
> :  Aug 24 12:38:04 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
> :
> :and
> :
> :  Aug 24 12:43:34 bilbo portmap[27659]: connect from 172.16.a.b to getport(300598): request from unauthorized host
> :
> :I've implemented a default deny-all policy in /etc/hosts.deny with
> :
> :  ALL : ALL
> :
> :My /etc/hosts.allow effectively reads
> :
> :  nmbd smbd : 172.16.
> :
> :>From the log messages I assume that the portmap connect attempts fail
> :(as per policy), but what do these connect attempts mean?  Is someone
> :trying to crack my server or something?  I did challenge our network
> :admin ...

-- 
Olaf Meeuwissen       Epson Kowa Corporation, Research and Development

Reply to:

References:
- [Q] what do these portmap log entries mean?
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>
- Re: [Q] what do these portmap log entries mean?
  - From: "Jonathan D. Proulx" <jon@ai.mit.edu>

Prev by Date: RE: You are a Linux Guru!
Next by Date: RE: DHCP and Debian 2.2?
Previous by thread: Re: [Q] what do these portmap log entries mean?
Next by thread: Re: [Q] what do these portmap log entries mean?
Index(es):
- Date
- Thread