[lug] Hacking through dump?

Kevin kevin at scrye.com
Mon Jul 17 09:51:15 MDT 2000


>>>>> "Chip" == Chip Atkinson <chip at rmpg.org> writes:

Chip> Greetings, I have been looking through my logs and saw a couple
Chip> attempts to connect to dump() in them:

Chip> Jul 15 14:12:01 localhost portmap[24541]: connect from
Chip> 209.113.108.66 to dump(): request from unauthorized host Jul 15
Chip> 14:42:37 localhost portmap[25179]: connect from 202.47.250.70 to
Chip> dump(): request from unauthorized host

Chip> Oddly enough, dump doesn't occur in syslog.conf or inetd.conf.
Chip> Does anyone know if this is a hacking attempt?  It appears that
Chip> the 209 address has a static IP, whie the 202 address has a
Chip> dynamic IP, or at least nslookup indicates that.

well, it's not dump (as in the backup program), it's portmap's dump()
function they are trying to get to. 

Portmap is a server that handles all the RPC (remote procedure call)
servers. Things like NFS or NIS. It regesters them a port and tells
remote servers how to get a hold of them. 

My guess is that someone is trying to see if they can take advantage
or your NFS or NIS servers by grabbing info from portmap. 

If you are not running NFS/NIS, I would just turn off portmap
entirely. If you are, make sure you are firewalling access to it
off. ;) 

Chip> Thanks in advance, Chip

kevin






More information about the LUG mailing list