From owner-freebsd-security  Wed May  2 12:45:24 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cpimssmtpu13.email.msn.com (cpimssmtpu13.email.msn.com [207.46.181.88])
	by hub.freebsd.org (Postfix) with ESMTP id D029337B423
	for <security@FreeBSD.ORG>; Wed,  2 May 2001 12:45:18 -0700 (PDT)
	(envelope-from JHowie@msn.com)
Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225);
	 Wed, 2 May 2001 12:45:17 -0700
Message-ID: <00ac01c0d341$0f8cbaf0$0101a8c0@development.local>
From: "John Howie" <JHowie@msn.com>
To: "Alex Charalabidis" <alex@wnm.net>, <efb-all@vhwy.com>
Cc: <security@FreeBSD.ORG>, <efb-all@cotdazr.org>
References: <Pine.BSF.4.32.0105021348270.63264-100000@earth.wnm.net>
Subject: Re: [GorrellCD@phdnswc.navy.mil: ]
Date: Wed, 2 May 2001 12:49:54 -0700
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-OriginalArrivalTime: 02 May 2001 19:45:17.0683 (UTC) FILETIME=[6A0ABC30:01C0D340]
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Folks,

111/tcp and 111/udp are the Sun ONC RPC ports. Perhaps someone is running an
rpc service like rusers, NIS, NFS, etc, or  querying RPC services using
rpcinfo.

john...

----- Original Message -----
From: "Alex Charalabidis" <alex@wnm.net>
To: <efb-all@vhwy.com>
Cc: <security@FreeBSD.ORG>; <efb-all@cotdazr.org>
Sent: Wednesday, May 02, 2001 12:34 PM
Subject: Re: [GorrellCD@phdnswc.navy.mil: ]


> On Tue, 1 May 2001, Everett F Batey wrote:
>
> > Dear FreeBSD Security Guru,
> >
> > I need some guidance.  My employer with which I have had problems over
> > the past 5 years has suggested I (or my IP) am(/is) trying to attack
> > hisIP space on UPD 111, and sent me the below attached log file.
> >
> > >
> > > May  1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65422 UDP
> > > May  1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65423 UDP
>
> Oddly enough, I got a virtually identical complaint today regarding
> traffic to a Dutch network we've never had transactions with before,
> apparently originating from an unassigned IP address that was briefly used
> by a Linux test machine on our network.
>
> I haven't had time to investigate myself but a colleague mentioned the
> possibility of something meant to confuse/overload IDS systems as a
> smokescreen for real attacks.
>
> -ac
>
>
> --
> ===================================================================
> Alex Charalabidis                           Worldspice Technologies
> 5050 Poplar Ave.         Memphis, TN, USA           +1 901 432 6000
> Opinions expressed are mine alone but may be yours for a small fee.
> ===================================================================
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message