RPC 111 portscanning for sadmind
Phillip G Deneault
deneault at WPI.EDU
Wed Sep 24 23:28:13 GMT 2003
In the past few days we have had several machines compromised and seen
heavy scanning with a destination of port 111/tcp. The traffic analysis
seems to point to sadmind as the point of entry for these scanners.
The Internet Storm Center seems to be seeing the same thing we are here.
The sadmind exploits are explained below
Tomorrow(hopefully) I can get my hands on a compromised host and take a
look for tools and other interesting goodies.
Phil Deneault "We work in the dark, We do what we can,
deneault at wpi.edu We give what we have. Our doubt is our passion,
WPI NetOps and our passion is our task. The rest is the
InfoSec madness of art." - Henry James
More information about the unisog