|
RPC showmount exports |
|
|
|
| FAQ | |||
|
|
False positives
This alert is prone to false positives within an NFS environment. UNIX workstation users will frequently query servers asking for a list of export/shares as part of their normal activity and does not indicate hostile activity.
Summary
The target system has been queried for a list of NFS exports using the showmount -e <target> command. If you don't have widespread UNIX clients, then this may indicate a reconnaissance scan.
Details
The "showmount" command on UNIX queries the mount daemon on the NFS server for information about the state of the system. The existance of this utility on UNIX clients indicates its usefulness in everyday activity. Therefore, showmount doesn't necessarily indicate hostile intent.
However, when intruders scan your network, one of the first things they will do is dump the export lists on your servers looking for ways to connect to the file system.
Action
Most importantly, try to figure out if there is legitimate UNIX workstations clients on your network. They have legitimate need to use showmount. In that case, the signature should be disabled for your network, or limited to only trigger on incoming traffic from the Internet.
If this this is coming in from the Internet or if you aren't running NFS servers, then this is likely a scan by a hacker. However, it is probably part of a broad spectrum scan and isn't dangerous by itself.
| more information |
|
Version appeared: 2.5