Fw: SNMP attempts every 10 minutes

[Kal Hartstein <jkhart () optonline net>]

unsubscribe
----- Original Message ----- 
From: "k7 fantr" <k7.fantr () gmail com>
To: "Ivan ." <ivanhec () gmail com>
Cc: <security-basics () securityfocus com>
Sent: Monday, January 14, 2008 7:08 PM
Subject: Re: SNMP attempts every 10 minutes


> - The switch logs indicate that IP x is failing to authenticate to it
> (the switch).
> - The IP x is a Windows 2000 workstation
> - I do not know what is causing the attempt (trap or get) and I am not
> sure how I could tell the difference via the logs:
> "%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host
> x.x.x.x (x.y.com)"
> - I can not find any logs indicating anything regarding snmp on the
workstation
> - I can re-create the same error message if I do a snmp-walk from my
workstation
> Ultimately I am wondering if I am out of my mind to demand that due to
> the suspicious behavior, and the inability to determine what it IS,
> this workstation should be removed from the network and investigated
> rather than left on the network until proved that it is something to
> worry about.
>
> and also if any knows of malicious code that behaves in this specific
manner?
> I hope this adds a little clarity.. thanks for the follow ups
>
>
>
> On Jan 14, 2008 5:43 PM, Ivan . <ivanhec () gmail com> wrote:
> > Is it a SNMP-trap or SNMP-get request? There is a difference and your
> > email isn't clear.
> >
> > SNMP-trap is sent by a device to a SNMP server
> >
> > SNMP-get is a read request from a SNMP poller to a device
> >
> > http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm
> >
> > I assume you mean a device is polling (SNMP-get) your core switch, and
> > it does not have the correct auth string. You should be able to
> > isolate the IP of the poller and they track down the box. It could be
> > a linux box running some "snmp-walk" requests.
> >
> > cheers
> > Ivan
> >
> >
> > On 11 Jan 2008 20:33:27 -0000, <k7.fantr () gmail com> wrote:
> > > There is a machine on our network that is trying and failing to
authenticate with the snmp trap on our core switch every 10 minutes. I can
not seem to isolate what is making the requests. Based on scans that I have
run, there is no know malware (nothing detected anyway). No services running
appear to stop the requests after being turned turned off, and after
installing a host based firewall and reviewing the logs, as well as running
wireshark and reviewing a 2 hour capture, I can not seem to pin point
anything making requests to that switch at all. It is the only machine on
the network of about 900 that is doing this.
> > > I want the machine removed so that I can investigate further, but I am
getting resistance from the IT Manager and support (no time.. not
necessary..). Has anybody seen this before? Am I wrong to want this removed?
> > > Thanks in advance.