Easy to answer this one. The intruders are probing your network block for
the rpcbind/portmapper vulnerabilities under Solaris and linux. You are
not vulnerable to this problem most likely.
However, I would be worried about any Unix/Linux boxen that you may have
on your network since they are probing you. I would also recommend that
you discuss with your networking/firewall staff about the possibility of
filtering this port at your edge routers. It is in my experience that you
really do not need access to this service outside of your LAN. It is
mostly useful for nfs/nis type mounts, and perfmeter. I am sure there are
other needs for this service, but if you need to keep it open to the world
on your router, then please install the tcpwrapper enabled rpcbind from
Wietse at ftp://ftp.porcupine.org/pub/security/ . This will protect (a
bit more) what people are trying to do to your system.
Hope that answers your questions a bit.
Scott Fendley
University of Arkansas
On 23 Dec 2000, Peter M wrote:
> Hey All,
>
> I've been pussled lately, I've been getting this TCP request many tiems
>lately and its becomeing a worry instead of a annoyance :) I always get a TCP request
>for port 111... I know this is a portmap but should i worry?
>
> I'm running win 98 ;) Here is the log ;)
>
> 2000/12/23 3:06:40 AM GMT -0500: Linksys LNEPCI II..[0000][No matching rule]
>Blocking incoming TCP: src=24.8.22.37, dst=my.ip.ish.ere, sport=1563, dport=111.
>
> THe person whos requesting port 111 is always diffrent? I don't know what this could
>be...
>
> Suggestions?
> Should i worry??? What EXACTLY are they looking for?
> Usually its like 4 requests or 5.
>
> Thanks!
>
>
> __________________________________________________________
> Get your FREE personalized e-mail at http://www.canada.com
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
