The Shadowserver Foundation

Open Portmapper Scanning Project

If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at portmapper.

The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have the portmapper service accessible and answering queries. The goal of this project is to identify devices with an openly accessible portmapper sservice and report them back to the network owners for remediation.

These devices have the potential to be used in UDP amplification attacks in addition to disclosing large amounts of information about the system and we would like to see these services made un-available to miscreants that would misuse these resources.

Servers that are configured this way have been incorporated into our reports and are being reported on a daily basis.

Information on UDP-based amplification attacks in general can be found in US-CERT alert TA14-017A at: https://www.us-cert.gov/ncas/alerts/TA14-017A.

Methodology

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 111/udp with an "rpcinfo" packet and parsing the response. If we find that the mountd service is accessible, we follow up with a packet that is the equivalent of "showmount". We intend no harm, but if we are causing problems, please contact us at dnsscan [at] shadowserver [dot] org

If you would like to test your own device to see if portmap is accessible, run the command "rpcinfo -T udp -p [IP]". If the portmapper service is accessible, you should see a response detailing some of the services that are running. Please note that even though this command specifies that you wish to probe portmapper over UDP, some implementations attempt TCP first and if that probe fails, it does not attempt to probe over UDP.

Whitelisting

To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is whitelisted will be publicly available here: https://portmapperscan.shadowserver.org/exclude.html

Useful Links

Scan Status

Statistics on current run


All Portmapper Responses

All Portmapper

(Click image to enlarge)

If you would like to see more regions click here

Hosts with mountd Exposed

mountd exposed

(Click image to enlarge)

If you would like to see more regions click here

NFS Exports

NFS Exports exposed

(Click image to enlarge)

If you would like to see more regions click here

All Portmapper Responses

All Portmapper

(Click image to enlarge)

Hosts with mountd Exposed

mountd exposed

(Click image to enlarge)

NFS Exports

NFS Exports Exposed

(Click image to enlarge)



If you would like us to not scan your network, please let us know and we will remove your networks from the scan.

Likewise, if you have anymore questions please feel free to send us an email at: gro [tod] revfooreswodahs [ta] nacbarssnd

The Shadowserver Foundation