Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

snmp

From: massimo.ferrario () INFORETI IT (Massimo Ferrario)
Date: Thu, 9 Mar 2000 19:15:44 +0100

Hi.

For more than one month my server has been hit almost every day by snmp
traffic apparently coming from a RIPE host: the IP is always 193.0.1.180.
The traffic is detected by portsentry, that find 2/3 packets per IP per
day: in portsentry logs i find:
Mar  7 21:32:57 server portsentry[628]: attackalert: UDP scan from host:
193.0.1.180/193.0.1.180 to UDP port: 161
The time of the 'scan' varies: usually it is around 20:00 CET (GMT+1) but I
found events at 23, 00, 01, 04 ...

I notified RIPE, and Andrea Galantini answered me

This scan did not originate in our network, it has most likely come
from a host spoofing this address [193.0.1.180].
As the only benefit we can see to doing this would be to make it
appear to you that RIPE NCC were responsible for the scanning we
are remaining vigilant.
We would be very glad if you could provide us with a (small part)
of the router logentries.

Can you also let your upstream ISP know that you see these problems
and ask them for source and destination addresses in their router
logs.

I have no access to my router logs as the router is proporty of my upstrem
ISP, which doesn't provide them :-(

I have installed tcpdump and tried to get more info about the traffic: I
used a filter to only catch udp packets on port snmp coming from
193.0.1.180 (tonite I will try to grab all traffic from that host)
This is what I can see from the dump: a small 'burst' of snmp requests

#tcpdump -r mydump -v
20:04:09.347849 < 193.0.1.180.1033 > ftp.inforeti.it.snmp: |30|2a|02|01SNMPv1
|04|06|a0|1dGetRequest (29)|02|01|02|01|02|01|30|12
|30|10|06|0cE:hp.2.4.3.10.6.0|05|00
(ttl 12, id 34517)
20:04:09.799948 < 193.0.1.180.1033 > www.inforeti.it.snmp: |30|2a|02|01SNMPv1
|04|06|a0|1dGetRequest(29)|02|01|02|01|02|01|30|12
|30|10|06|0cE:hp.2.4.3.10.6.0|05|00
(ttl 10, id 34773)
20:04:09.810112 < 193.0.1.180.1033 > bart.inforeti.it.snmp: |30|2a|02|01SNMPv1
|04|06|a0|1dGetRequest(29)|02|01|02|01|02|01|30|12
|30|10|06|0cE:hp.2.4.3.10.6.0|05|00
(ttl 10, id 35285)
20:04:09.894969 P 193.0.1.180.1033 > proxy.inforeti.it.snmp:
|30|2a|02|01SNMPv1
04|06|a0|1dGetRequest(29)|02|01|02|01|02|01|30|12
|30|10|06|0cE:hp.2.4.3.10.6.0|05|00
(ttl 4, id 34261)
20:04:09.990615 P 193.0.1.180.1033 > mail.inforeti.it.snmp:
|30|2a|02|01SNMPv1
|04|06|a0|1dGetRequest(29)|02|01|02|01|02|01|30|12
|30|10|06|0cE:hp.2.4.3.10.6.0|05|00
(ttl 4, id 38357)
20:04:10.000492 P 193.0.1.180.1033 > 194.243.103.183.snmp: |30|2a|02|01SNMPv1
|04|06|a0|1dGetRequest(29)|02|01|02|01|02|01|30|12
|30|10|06|0cE:hp.2.4.3.10.6.0|05|00
(ttl 2, id 34005)
[...]

Does anyone gets any hint out of this 'trace'?

Ciao

---------------------------------------
Massimo Ferrario
Inforeti snc
via Pellizzo, 39 - 35100 Padova (Italy)
http://www.inforeti.it
Previous By Date Next
Previous By Thread Next

Current thread: