RPC 111 portscanning for sadmind

Phillip G Deneault deneault at WPI.EDU
Wed Sep 24 23:28:13 GMT 2003


In the past few days we have had several machines compromised and seen 
heavy scanning with a destination of port 111/tcp.  The traffic analysis 
seems to point to sadmind as the point of entry for these scanners.
The Internet Storm Center seems to be seeing the same thing we are here.

http://isc.sans.org/port_details.html?port=111

The sadmind exploits are explained below

http://www.securityfocus.com/archive/1/337675/2003-09-14/2003-09-20/0
and
http://www.securityfocus.com/archive/1/338112/2003-09-14/2003-09-20/0

Tomorrow(hopefully) I can get my hands on a compromised host and take a 
look for tools and other interesting goodies.

Phil

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Phil Deneault     "We work in the dark, We do what we can,
deneault at wpi.edu   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            madness of art." - Henry James
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-






More information about the unisog mailing list