Open Portmapper Report

This report identifies hosts that have the Portmapper service running and accessible on the public Internet.

This service has the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. For general information on this service, see Wikipedia. See US-CERT Alert TA14-017A) and Level3’s Blog for more.

In addition to being used in denial of service attacks, portmapper can be used to obtain a large amount of information about the target, including the NFS exports that are hosted by that device, if the mountd program is also accessible.

The analogous shell command to mimic our portmapper scan is:

rpcinfo -T udp -p [IP]

And the analogous shell command that mimics our probe of the mountd program is:

showmount -e [IP]

For simplicity, the programs in the output of the portmapper scan are kept numeric, but below is a mapping of common program numbers to names:

  • Program Number
    Program Name
  • 100000
    portmapper
  • 100003
    nfs
  • 100005
    mountd
  • 100021
    nlockmgr
  • 100024
    status

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the portmapper response came on (always UDP)
  • port
    Port that the portmapper response came from (usually 111/UDP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be portmapper
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • programs
    Semicolon delimited list of programs that portmapper claims to have accessible — the format of each entry is "[program number] [program version] [port/protocol];"
  • mountd_port
    Mountd port that was probed for NFS exports (if mountd is found to be running on the host)
  • exports
    Semicolon delimited list of NFS exports that the host claims to have available — the format of each entry is "[exported directory] [list of group restrictions (if any) for that export];"

Sample

"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","programs","mountd_port","exports"
"2015-09-08 14:47:34","74.122.153.2","udp",111,"svr3.marketrends.net","portmapper",14051,"US","CALIFORNIA","LOOMIS",0,0,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 391002 1 49974/udp; 391002 2 49974/udp;",,
"2015-09-08 14:47:34","67.162.120.175","udp",111,"c-67-162-120-175.hsd1.in.comcast.net","portmapper",7922,"US","INDIANA","MERRILLVILLE",518210,737415,"100000 2 111/udp; 100000 2 111/udp;",,
"2015-09-08 14:47:34","96.46.140.103","udp",111,"mail7.mail.telemundoareadelabahia.com","portmapper",18499,"US","TEXAS","AUSTIN",0,0,"100000 2 111/udp; 100000 2 111/udp; 100024 1 854/udp; 100024 1 857/udp;",,
"2015-09-08 14:47:34","167.88.107.54","udp",111,,"portmapper",30279,"PT","LISBOA","LISBON",0,0,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100024 1 53022/udp; 100024 1 53674/udp; 100021 1 44960/udp; 100021 3 44960/udp; 100021 4 44960/udp; 100021 1 36166/udp; 100021 3 36166/udp; 100021 4 36166/udp;",,
"2015-09-08 14:47:37","220.81.252.129","udp",111,,"portmapper",4766,"KR","SEOUL TEUGBYEOLSI","SEOUL",0,0,"100000 2 111/udp; 100000 2 111/udp; 100024 1 35100/udp; 100024 1 35305/udp; 100021 1 39468/udp; 100021 3 39468/udp; 100021 4 39468/udp; 100021 1 60156/udp; 100021 3 60156/udp; 100021 4 60156/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100005 1 56421/udp; 100005 1 60136/udp; 100005 2 56421/udp; 100005 2 60136/udp; 100005 3 56421/udp; 100005 3 60136/udp;",56421,"/mnt/active 169.254.253.1/30;"
"2015-09-08 14:47:40","176.119.26.98","udp",111,,"portmapper",58277,"UA","KYIV","KIEV",0,0,"100000 2 111/udp; 100000 3 111/udp; 100000 4 111/udp; 100000 2 111/udp; 100000 3 111/udp; 100000 4 111/udp; 100005 1 1048/udp; 100005 2 1048/udp; 100005 3 1048/udp; 100005 1 1048/udp; 100005 2 1048/udp; 100005 3 1048/udp; 100021 1 1047/udp; 100021 2 1047/udp; 100021 3 1047/udp; 100021 4 1047/udp; 100021 1 1047/udp; 100021 2 1047/udp; 100021 3 1047/udp; 100021 4 1047/udp; 100024 1 1039/udp; 100024 1 1039/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100003 2 2049/udp; 100003 3 2049/udp;",1048,"/ISO;"
"2015-09-08 14:47:40","112.189.51.158","udp",111,,"portmapper",4766,"KR","SEOUL TEUGBYEOLSI","SEOUL",0,0,"100000 2 111/udp; 100000 2 111/udp; 100024 1 43938/udp; 100024 1 40092/udp; 100021 1 35953/udp; 100021 3 35953/udp; 100021 4 35953/udp; 100021 1 52717/udp; 100021 3 52717/udp; 100021 4 52717/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100005 1 38580/udp; 100005 1 46058/udp; 100005 2 38580/udp; 100005 2 46058/udp; 100005 3 38580/udp; 100005 3 46058/udp;",,

Our 76 Report Types