GEN:SID 1:576
Message RPC portmap amountd request UDP
Summary This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) amountd (also known as autofsd) is listening.

Impact Information disclosure.  This request is used to discover which port amountd is using.  Attackers can also learn what versions of the amountd protocol are accepted by amountd.
Detailed Information The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as amountd run.  The amountd RPC service is used by UNIX hosts to automatically mount and unmount autofs files.  It can use name service maps to find file systems to be mounted.  A vulnerability is present in autofsd that allows an attacker to execute arbitrary commands.  The attacker requests a map name that is executable, followed by a malformed client key and commands to be executed.  The server improperly interprets the input and executes the commands.
Affected Systems IBM AIX 4.3, SGI IRIX 6.2, 6.3, 6.4, 6.5, and 6.5.1.
Attack Scenarios An attacker can craft an amountd request that executes arbitrary commands on the remote file system.
Ease of Attack Easy.  Exploit code is widely available.
Corrective Action Limit remote access to RPC services.

Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.

Disable unneeded RPC services.
Additional References Bugtraq:
http://www.securityfocus.com/bid/332/info/

Arachnids:
http://www.whitehats.com/info/IDS19

Rule References arachnids: 19