[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Broadcast storm in my network/ any ideas
- To: wilder_jeff Wilder <wilder_jeff@xxxxxxx>
- Subject: Re: [Full-disclosure] Broadcast storm in my network/ any ideas
- From: TheGesus <thegesus@xxxxxxxxx>
- Date: Thu, 22 Dec 2005 12:32:28 -0500
Smells like "Windows Services for Unix" (a.k.a. "SFUX") to me.
A very oddball product that never made any real market penetration.
Check to see if it's installed in Add/Remove Programs. Then hose it.
On 12/22/05, wilder_jeff Wilder <wilder_jeff@xxxxxxx> wrote:
>
> All,
>
> I have a Windows 2000 terminal server that is consistantly sending out
> broadcasts to 255.255.255.255:111... below is a capture from a snort box I
> have running. In the last 18 hours I have had about 2000 packets from this
> box to this address about every 30 seconds. Snort reports the signature as
> a RPC portmap proxy attempt UDP. I have not been able to find much
> information on this event. I have run a current AV scan against the box, it
> did come up clean. Can anyone give me a bit of direction as to these
> events?
>
> -Jeff
>
> RPC portmap proxy attempt UDP 10.74.32.31:3300/udp
> 255.255.255.255:111/udp 07:50:35
> RPC portmap proxy attempt UDP 10.74.32.31:3291/udp
> 255.255.255.255:111/udp 07:50:05
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/