Open Portmapper Report

LAST UPDATED: 2022-08-29

This report identifies hosts that have the Portmapper service running and accessible on the public Internet.

This service has the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. For general information on this service, see Wikipedia. See US-CERT Alert TA14-017A) and Level3’s Blog for more.

In addition to being used in denial of service attacks, portmapper can be used to obtain a large amount of information about the target, including the NFS exports that are hosted by that device, if the mountd program is also accessible.

The analogous shell command to mimic our portmapper scan is:

rpcinfo -T udp -p [IP]

And the analogous shell command that mimics our probe of the mountd program is:

showmount -e [IP]

For simplicity, the programs in the output of the portmapper scan are kept numeric, but below is a mapping of common program numbers to names:

Program Number

Program Name
100000

portmapper
100003

nfs
100005

mountd
100021

nlockmgr
100024

status

For more details behind the scan methodology and a daily update of global Portmapper scan statistics please visit our dedicated Portmapper scan page.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename(s): scan_portmapper

Fields

timestamp

Time that the IP was probed in UTC+0
ip

The IP address of the device in question
protocol

Protocol that the portmapper response came on (always UDP)
port

Port that the portmapper response came from (usually 111/UDP)
hostname

Reverse DNS name of the device in question
tag

Will always be portmapper
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
sic

Standard Industrial Classification System Code
programs

Semicolon delimited list of programs that portmapper claims to have accessible — the format of each entry is "[program number] [program version] [port/protocol];"
mountd_port

Mountd port that was probed for NFS exports (if mountd is found to be running on the host)
exports

Semicolon delimited list of NFS exports that the host claims to have available — the format of each entry is "[exported directory] [list of group restrictions (if any) for that export];"
response_size

Response size in bytes

Sample

"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","programs","mountd_port","exports","sector","response_size","amplification"
"2010-02-10 00:00:00",192.168.0.1,udp,111,node01.example.com,portmapper,64512,ZZ,Region,City,0,0,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100024 1 58193/udp; 100024 1 52091/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100003 4 2049/udp; 100227 2 2049/udp; 100227 3 2049/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100003 4 2049/udp; 100227 2 2049/udp; 100227 3 2049/udp; 100021 1 36124/udp; 100021 3 36124/udp; 100021 4 36124/udp; 100021 1 33695/udp; 100021 3 33695/udp; 100021 4 33695/udp; 100005 1 52451/udp; 100005 1 51689/udp; 100005 2 44596/udp; 100005 2 42231/udp; 100005 3 42064/udp; 100005 3 48369/udp;",52451,"/mnt/export 192.168.0.0","Communications, Service Provider, and Hosting Service",628,15.70
"2010-02-10 00:00:01",192.168.0.2,udp,111,node02.example.com,portmapper,64512,ZZ,Region,City,0,0,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;",,"/mnt/export 192.168.0.0",,148,3.70
"2010-02-10 00:00:02",192.168.0.3,udp,111,node03.example.com,portmapper,64512,ZZ,Region,City,0,0,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;",,"/mnt/export 192.168.0.0","Communications, Service Provider, and Hosting Service",148,3.70

Our 130 Report Types

« Back to Network Reporting