[SAC] Fwd: [support.osuosl.org #29763] projects.osgeo.osuosl.org portmapper vulnerability

Regina Obe lr at pcorp.us
Fri Sep 29 21:41:36 PDT 2017 

You think our mail list issues and this DDOS vulnerability might be related.

I'd be willing to ask for more detail but since OSUOSL folks don't know me, I feel I wouldn't be the right person to inquire more.

Anyrate it's probably a good idea to test all our servers, starting with our Mail List Server

Using what they suggested

$ rpcinfo -T udp -p <ipaddress>
$ showmount -e <ipaddress>

And other tidbits from

https://www.us-cert.gov/ncas/alerts/TA14-017A


Thanks,
Regina

-----Original Message-----
From: Sac [mailto:sac-bounces at lists.osgeo.org] On Behalf Of Alex M
Sent: Friday, September 29, 2017 7:35 PM
To: sac >> System Administration Committee Discussion/OSGeo <sac at lists.osgeo.org>
Subject: [SAC] Fwd: [support.osuosl.org #29763] projects.osgeo.osuosl.org portmapper vulnerability

Any have any idea what this is about? Perhaps someone could respond to OSUOSL asking about which host/IP is in question?

The second link doesn't actually get to an article.

Thanks,
Alex


-------- Forwarded Message --------
Subject: [support.osuosl.org #29763] projects.osgeo.osuosl.org portmapper vulnerability
Date: Fri, 29 Sep 2017 11:40:13 -0700
From: Cody Holliday via RT <support at osuosl.org>
Reply-To: support at osuosl.org
CC: sysadmin at osgeo.org, tech at wildintellect.com, rootmail-students at osuosl.org

Here is a little more information on the vulnerability and how to test if you are still vulnerable:

Exposed RPC portmapper services are used for amplification attacks. You can test exposure with the following shell commands:

$ rpcinfo -T udp -p <ipaddress>
$ showmount -e <ipaddress>

  * https://www.us-cert.gov/ncas/alerts/TA14-017A

  *
http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/


--Cody Holliday
On Thu Sep 28 12:58:08 2017, codysseus wrote:
> Hello Alex!
>
> We have a report from NERO that says one of your hosts is running a 
> vulnerable portmapper service. Here is the report from NERO:
>
> 2017-07-24 03:54:21
>
> exports:
> protocol: udp
> naics: 0
> port: 111
> programs: 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000
> 4
> 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100024 1 52846/udp;
> 100024 1
> 55377/udp;
> mountd_port:17-07-24 03:54:21
>
> --Cody Holliday

_______________________________________________
Sac mailing list
Sac at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

More information about the Sac mailing list