From owner-freebsd-security  Fri Feb  9  0:16:47 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sonar.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84])
	by hub.freebsd.org (Postfix) with ESMTP id 0A82537B491
	for <freebsd-security@FreeBSD.ORG>; Fri,  9 Feb 2001 00:16:30 -0800 (PST)
Received: from localhost (root@localhost)
	by sonar.noops.org (8.9.3/8.9.3) with ESMTP id AAA01538;
	Fri, 9 Feb 2001 00:16:33 -0800 (PST)
	(envelope-from root@noops.org)
Date: Fri, 9 Feb 2001 00:16:33 -0800 (PST)
From: Thomas Cannon <root@noops.org>
To: Dan Larsson <dl@tyfon.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Lots of attempts to connect to sunrpc port
In-Reply-To: <Pine.BSF.4.32.0102090853410.58451-100000@hq1.tyfon.net>
Message-ID: <Pine.BSF.4.21.0102090012490.1512-100000@sonar.noops.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Is this something to take seriously or am I looking at the effects of
> script kiddies?
> 
> Log snippet:
> 
> Deny TCP 211.184.221.34:1870 xxx.xxx.xxx.xxx:111 in via fxp0
> Deny TCP 211.184.221.34:1870 xxx.xxx.xxx.xxx:111 in via fxp0
> Deny TCP 200.47.77.226:1855 xxx.xxx.xxx.xxx:111 in via fxp0

<more snipped off>


Well, not having timestamps makes it tough to say, but if all those came
at the same time I'd guess someone is using the -D flag on nmap and hiding
in a crowd of IPs to mask their own. If that's your logs from the course
of a day, it's just random script kid traffic. I see a similar amount each
day.

Cheers,

Thomas



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message