Security Basics mailing list archives
Fw: SNMP attempts every 10 minutes
From: Kal Hartstein <jkhart () optonline net>
Date: Tue, 15 Jan 2008 11:41:27 -0500
unsubscribe ----- Original Message ----- From: "k7 fantr" <k7.fantr () gmail com> To: "Ivan ." <ivanhec () gmail com> Cc: <security-basics () securityfocus com> Sent: Monday, January 14, 2008 7:08 PM Subject: Re: SNMP attempts every 10 minutes
- The switch logs indicate that IP x is failing to authenticate to it (the switch). - The IP x is a Windows 2000 workstation - I do not know what is causing the attempt (trap or get) and I am not sure how I could tell the difference via the logs: "%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host x.x.x.x (x.y.com)" - I can not find any logs indicating anything regarding snmp on the
workstation
- I can re-create the same error message if I do a snmp-walk from my
workstation
Ultimately I am wondering if I am out of my mind to demand that due to the suspicious behavior, and the inability to determine what it IS, this workstation should be removed from the network and investigated rather than left on the network until proved that it is something to worry about. and also if any knows of malicious code that behaves in this specific
manner?
I hope this adds a little clarity.. thanks for the follow ups On Jan 14, 2008 5:43 PM, Ivan . <ivanhec () gmail com> wrote:Is it a SNMP-trap or SNMP-get request? There is a difference and your email isn't clear. SNMP-trap is sent by a device to a SNMP server SNMP-get is a read request from a SNMP poller to a device http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm I assume you mean a device is polling (SNMP-get) your core switch, and it does not have the correct auth string. You should be able to isolate the IP of the poller and they track down the box. It could be a linux box running some "snmp-walk" requests. cheers Ivan On 11 Jan 2008 20:33:27 -0000, <k7.fantr () gmail com> wrote:There is a machine on our network that is trying and failing to
authenticate with the snmp trap on our core switch every 10 minutes. I can not seem to isolate what is making the requests. Based on scans that I have run, there is no know malware (nothing detected anyway). No services running appear to stop the requests after being turned turned off, and after installing a host based firewall and reviewing the logs, as well as running wireshark and reviewing a 2 hour capture, I can not seem to pin point anything making requests to that switch at all. It is the only machine on the network of about 900 that is doing this.
I want the machine removed so that I can investigate further, but I am
getting resistance from the IT Manager and support (no time.. not necessary..). Has anybody seen this before? Am I wrong to want this removed?
Thanks in advance.
Current thread:
- SNMP attempts every 10 minutes k7 . fantr (Jan 14)
- Re: SNMP attempts every 10 minutes Paul J. Brickett (Jan 14)
- Message not available
- Re: SNMP attempts every 10 minutes Paul J. Brickett (Jan 14)
- Message not available
- Re: SNMP attempts every 10 minutes Paul J. Brickett (Jan 14)
- Re: SNMP attempts every 10 minutes Ivan . (Jan 15)
- Re: SNMP attempts every 10 minutes k7 fantr (Jan 15)
- Re: SNMP attempts every 10 minutes Ivan . (Jan 15)
- RE: SNMP attempts every 10 minutes Erik Soosalu (Jan 15)
- RE: SNMP attempts every 10 minutes Nhon Yeung (Jan 15)
- Re: SNMP attempts every 10 minutes k7 fantr (Jan 15)
- Re: SNMP attempts every 10 minutes Tremaine Lea (Jan 15)
- <Possible follow-ups>
- Fw: SNMP attempts every 10 minutes Kal Hartstein (Jan 15)
- Re: Fw: SNMP attempts every 10 minutes Micheal Espinola Jr (Jan 15)