Skip navigation
6354 Views 6 Replies Latest reply: Jan 27, 2012 12:40 PM by Michael Cardamone RSS
Van Melancon Lurker 3 posts since
Jan 6, 2012
Currently Being Moderated

Jan 6, 2012 3:06 PM

Hidden RPC services error

I was wondering if anyone can offer some insight into this error.

 

The Portmapper/Rpcbind listens on port 111 and stores an updated list of registered RPC services running on the server (RPC name, version and port number). It acts as a "gateway" for clients wanting to connect to any RPC daemon.

 

 

When the portmapper/rpcbind is removed or firewalled, standard RPC client programs fail to obtain the portmapper list.  However, by sending carefully crafted packets, it's possible to determine which RPC programs are listening on which port. This technique is known as direct RPC scanning. It's used to bypass portmapper/rpcbind in order to find RPC programs running on a port (TCP or UDP ports). On Linux servers, RPC services are typically listening on privileged ports (below 1024), whereas on Solaris, RPC services are on temporary ports (starting with port 32700).
Unauthorized users can build a list of RPC services running on the host. If they discover vulnerable RPC services on the host, they then can exploit them.Firewalling the portmapper port or removing the portmapper service is not sufficient to prevent unauthorized users from accessing the RPC daemons. You should remove all RPC services that are not strictly required on this host.
  • Michael Cardamone Level 2 33 posts since
    Aug 25, 2010
    Currently Being Moderated
    Jan 12, 2012 12:21 PM (in response to Van Melancon)
    Hidden RPC services error

    Hi Van,

     

    I'm not sure what you meant by"error" but the information you posted is the Threat, Impact, and Solution for our QID 11 (Hidden RPC Services).

     

    This is a remote detection that posts as a confirmed level 2
    If this shows up in your scan data it simply means that we were able to find RPC Services running on the host during the scan. If we find RPC Services running we will post the port, protocol, and version in the results section of the report for that QID. This way you can look closer at the host and decide if this is business need or security risk.

     

    Example:

     

    Results

                                                     

                                                     

     

     

     

    Name

     

     

     
     

     

     

    Program

     

     

     
     

     

     

    Version

     

     

     
     

     

     

    Protocol

     

     

     
     

     

     

    Port

     

     

     
     

     

     

    portmap/rpcbind

     

     

     
     

     

     

    100000

     

     

     
     

     

     

    2

     

     

     
     

     

     

    tcp

     

     

     
     

     

     

    111

     

     

     
     

     

     

    nfs

     

     

     
     

     

     

    100003

     

     

     
     

     

     

    2-4

     

     

     
     

     

     

    tcp

     

     

     
     

     

     

    2049

     

     

     
     

     

     

    portmap/rpcbind

     

     

     
     

     

     

    100000

     

     

     
     

     

     

    2

     

     

     
     

     

     

    udp

     

     

     
     

     

     

    111

     

     

     
     

     

     

    nfs

     

     

     
     

     

     

    100003

     

     

     
     

     

     

    2-4

     

     

     
     

     

     

    udp

     

     

     
     

     

     

    2049

     

     

     

     

    Please let me know if this helps.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 6 points