[SAC] [support.osuosl.org #29763] projects.osgeo.osuosl.org portmapper vulnerability

Any have any idea what this is about? Perhaps someone could respond to
OSUOSL asking about which host/IP is in question?

The second link doesn't actually get to an article.

Thanks,
Alex

-------- Forwarded Message --------
Subject: [support.osuosl.org #29763] projects.osgeo.osuosl.org
portmapper vulnerability
Date: Fri, 29 Sep 2017 11:40:13 -0700
From: Cody Holliday via RT <support@osuosl.org>
Reply-To: support@osuosl.org
CC: sysadmin@osgeo.org, tech@wildintellect.com, rootmail-students@osuosl.org

Here is a little more information on the vulnerability and how to test
if you
are still vulnerable:

Exposed RPC portmapper services are used for amplification
attacks. You can test exposure with the following shell commands:

$ rpcinfo -T udp -p <ipaddress>
$ showmount -e <ipaddress>

  * https://www.us-cert.gov/ncas/alerts/TA14-017A

  *
http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/

--Cody Holliday
On Thu Sep 28 12:58:08 2017, codysseus wrote:

Hello Alex!

We have a report from NERO that says one of your hosts is running a
vulnerable
portmapper service. Here is the report from NERO:

2017-07-24 03:54:21

exports:
protocol: udp
naics: 0
port: 111
programs: 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000
4
111/udp; 100000 3 111/udp; 100000 2 111/udp; 100024 1 52846/udp;
100024 1
55377/udp;
mountd_port:17-07-24 03:54:21

--Cody Holliday

You think our mail list issues and this DDOS vulnerability might be related.

I'd be willing to ask for more detail but since OSUOSL folks don't know me, I feel I wouldn't be the right person to inquire more.

Anyrate it's probably a good idea to test all our servers, starting with our Mail List Server

Using what they suggested

$ rpcinfo -T udp -p <ipaddress>
$ showmount -e <ipaddress>

And other tidbits from

https://www.us-cert.gov/ncas/alerts/TA14-017A

Thanks,
Regina

-----Original Message-----
From: Sac [mailto:sac-bounces@lists.osgeo.org] On Behalf Of Alex M
Sent: Friday, September 29, 2017 7:35 PM
To: sac >> System Administration Committee Discussion/OSGeo <sac@lists.osgeo.org>
Subject: [SAC] Fwd: [support.osuosl.org #29763] projects.osgeo.osuosl.org portmapper vulnerability

Any have any idea what this is about? Perhaps someone could respond to OSUOSL asking about which host/IP is in question?

The second link doesn't actually get to an article.

Thanks,
Alex

-------- Forwarded Message --------
Subject: [support.osuosl.org #29763] projects.osgeo.osuosl.org portmapper vulnerability
Date: Fri, 29 Sep 2017 11:40:13 -0700
From: Cody Holliday via RT <support@osuosl.org>
Reply-To: support@osuosl.org
CC: sysadmin@osgeo.org, tech@wildintellect.com, rootmail-students@osuosl.org

Here is a little more information on the vulnerability and how to test if you are still vulnerable:

Exposed RPC portmapper services are used for amplification attacks. You can test exposure with the following shell commands:

$ rpcinfo -T udp -p <ipaddress>
$ showmount -e <ipaddress>

  * https://www.us-cert.gov/ncas/alerts/TA14-017A

  *
http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/

--Cody Holliday
On Thu Sep 28 12:58:08 2017, codysseus wrote:

Hello Alex!

We have a report from NERO that says one of your hosts is running a
vulnerable portmapper service. Here is the report from NERO:

2017-07-24 03:54:21

exports:
protocol: udp
naics: 0
port: 111
programs: 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000
4
111/udp; 100000 3 111/udp; 100000 2 111/udp; 100024 1 52846/udp;
100024 1
55377/udp;
mountd_port:17-07-24 03:54:21

--Cody Holliday

_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

It's fairly unlikely that this particular attack vector... bandwidth amplification, would be causing the slow mail issue. We would see quite a bit of data transfer from the mail host if someone was using this.

Harrison

On Sep 30, 2017, at 12:41 PM, Regina Obe <lr@pcorp.us> wrote:

You think our mail list issues and this DDOS vulnerability might be related.

I'd be willing to ask for more detail but since OSUOSL folks don't know me, I feel I wouldn't be the right person to inquire more.

Anyrate it's probably a good idea to test all our servers, starting with our Mail List Server

Using what they suggested

$ rpcinfo -T udp -p <ipaddress>
$ showmount -e <ipaddress>

And other tidbits from

https://www.us-cert.gov/ncas/alerts/TA14-017A

Thanks,
Regina

-----Original Message-----
From: Sac [mailto:sac-bounces@lists.osgeo.org] On Behalf Of Alex M
Sent: Friday, September 29, 2017 7:35 PM
To: sac >> System Administration Committee Discussion/OSGeo <sac@lists.osgeo.org>
Subject: [SAC] Fwd: [support.osuosl.org #29763] projects.osgeo.osuosl.org portmapper vulnerability

Any have any idea what this is about? Perhaps someone could respond to OSUOSL asking about which host/IP is in question?

The second link doesn't actually get to an article.

Thanks,
Alex

-------- Forwarded Message --------
Subject: [support.osuosl.org #29763] projects.osgeo.osuosl.org portmapper vulnerability
Date: Fri, 29 Sep 2017 11:40:13 -0700
From: Cody Holliday via RT <support@osuosl.org>
Reply-To: support@osuosl.org
CC: sysadmin@osgeo.org, tech@wildintellect.com, rootmail-students@osuosl.org

Here is a little more information on the vulnerability and how to test if you are still vulnerable:

Exposed RPC portmapper services are used for amplification attacks. You can test exposure with the following shell commands:

$ rpcinfo -T udp -p <ipaddress>
$ showmount -e <ipaddress>

* https://www.us-cert.gov/ncas/alerts/TA14-017A

*
http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/

--Cody Holliday

On Thu Sep 28 12:58:08 2017, codysseus wrote:
Hello Alex!

We have a report from NERO that says one of your hosts is running a
vulnerable portmapper service. Here is the report from NERO:

2017-07-24 03:54:21

exports:
protocol: udp
naics: 0
port: 111
programs: 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000
4
111/udp; 100000 3 111/udp; 100000 2 111/udp; 100024 1 52846/udp;
100024 1
55377/udp;
mountd_port:17-07-24 03:54:21

--Cody Holliday

_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

Hi Alex,

On Fri, 29. Sep 2017 at 16:34:32 -0700, Alex M wrote:

Any have any idea what this is about? Perhaps someone could respond to
OSUOSL asking about which host/IP is in question?

portmap was running on osgeo6, but I didn't find any traces of nfs activity -
so I simply removed nfs-common (which contains portmap on jessie).

It's also running on projects although there's no apparent trace of use there
either - removed portmap (also the package name on squeeze).

download, tracsvn, webextra & qgis didn't have it.

Jürgen

--
Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31
Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50
Software Engineer D-26506 Norden http://www.norbit.de

Jürgen E. Fischer wrote:

portmap was running on osgeo6, but I didn't find any traces of nfs activity -
so I simply removed nfs-common (which contains portmap on jessie).

On jessie it's been renamed to "rpcbind" - now removed as well.

Cheers,
  Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------