Re: [Q] what do these portmap log entries mean?
Thanks for the quick reply!
"Jonathan D. Proulx" <jon@ai.mit.edu> writes:
> Your example shows local IP addresses for the refused hosts, if this
> is the case it is possibly just network noise.
>
> Paranoid rant follows:
>
> The (unfortunately) more likely case is that you are being scanned for
> the latest statd vulnerability. If you have the latest nfs-common
> package you are safe (you should also have a kernel version of 2.2.16
> minimum). I lost 50+ machines to this about a week ago (they were all
> shutdown before mr. skriptkiddie came back, but the break-in went
> through 6 class c subnets in about 3min setting up back doors)
I don't have NFS packages installed, running 2.2.17 generic kernel. I
installed potato afresh right after it became stable from a local
mirror and made sure all md5sums were OK (before installing from a
freshly downloaded Packages file). Haven't installed much: base
tarball, tob/afio/cron/exim, samba and apache. Even purged telnet,
ftp, ppp, pppconfig, pump and pcmcia-cs.
> My particular instance setup root shells listening on port 199,
> entered in /etc/inetd.conf so you might want to look there and see if
> there's a suspicious "smux" line. This is what was done once they got
> root, not the vulnerability, so lack of this line may simply indicate
> a different use of it.
No smux in there.
> If you have a new kernel an nfs-common Version: 1:0.1.9.1-1, no
> worries, you can just laugh the scan off (if that's what it was)
>
>
> On Thu, Aug 24, 2000 at 12:49:13PM +0900, Olaf Meeuwissen wrote:
> :Dear all,
> :
> :I've been seeing entries like below in my logs for a while.
> :
> : Aug 24 12:38:01 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
> : Aug 24 12:38:04 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
> :
> :and
> :
> : Aug 24 12:43:34 bilbo portmap[27659]: connect from 172.16.a.b to getport(300598): request from unauthorized host
> :
> :I've implemented a default deny-all policy in /etc/hosts.deny with
> :
> : ALL : ALL
> :
> :My /etc/hosts.allow effectively reads
> :
> : nmbd smbd : 172.16.
> :
> :>From the log messages I assume that the portmap connect attempts fail
> :(as per policy), but what do these connect attempts mean? Is someone
> :trying to crack my server or something? I did challenge our network
> :admin ...
--
Olaf Meeuwissen Epson Kowa Corporation, Research and Development
Reply to: