MEDIUM: Open Portmapper Report

DESCRIPTION LAST UPDATED: 2023-12-18

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies hosts that have the Portmapper service running and accessible on the public Internet.

This service has the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. For general information on this service, see Wikipedia. See US-CERT Alert TA14-017A) and Level3’s Blog for more.

In addition to being used in denial of service attacks, portmapper can be used to obtain a large amount of information about the target, including the NFS exports that are hosted by that device, if the mountd program is also accessible.

The analogous shell command to mimic our portmapper scan is:

rpcinfo -T udp -p [IP]

And the analogous shell command that mimics our probe of the mountd program is:

showmount -e [IP]

For simplicity, the programs in the output of the portmapper scan are kept numeric, but below is a mapping of common program numbers to names:

Program Number

Program Name
100000

portmapper
100003

nfs
100005

mountd
100021

nlockmgr
100024

status

You can track latest portmapper exposure on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename(s): scan_portmapper

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that the portmapper response came on (always UDP)
port

Port that the portmapper response came from (usually 111/UDP)
hostname

Reverse DNS name of the device in question
tag

Will always be portmapper
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
hostname_source

Hostname source
programs

Semicolon delimited list of programs that portmapper claims to have accessible — the format of each entry is "[program number] [program version] [port/protocol];"
mountd_port

Mountd port that was probed for NFS exports (if mountd is found to be running on the host)
exports

Semicolon delimited list of NFS exports that the host claims to have available — the format of each entry is "[exported directory] [list of group restrictions (if any) for that export];"
sector

Sector the IP belongs to
response_size

Response size in bytes
amplification

Amplification factor (This amplification is is based solely on the payload size sent and payload size received)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","programs","mountd_port","exports","sector","response_size","amplification"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,111,node01.example.com,portmapper,64512,ZZ,Region,City,0,ptr,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;",,"/mnt/export 192.168.0.0","Communications, Service Provider, and Hosting Service",148,3.70
"2010-02-10 00:00:01",medium,192.168.0.2,udp,111,node02.example.com,portmapper,64512,ZZ,Region,City,0,,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100005 1 892/udp; 100005 1 892/udp; 100005 2 892/udp; 100005 2 892/udp; 100005 3 892/udp; 100005 3 892/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100003 2 2049/udp; 100003 3 2049/udp; 100021 1 40451/udp; 100021 3 40451/udp; 100021 4 40451/udp; 100021 1 45039/udp; 100021 3 45039/udp; 100021 4 45039/udp; 100024 1 50510/udp; 100024 1 47810/udp;",,"/mnt/export 192.168.0.0",,508,12.70
"2010-02-10 00:00:02",medium,192.168.0.3,udp,111,node03.example.com,portmapper,64512,ZZ,Region,City,0,ptr,"100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;",,"/mnt/export 192.168.0.0","Communications, Service Provider, and Hosting Service",148,3.70

Our 135 Report Types

« Back to Network Reporting