Security Incidents mailing list archives
snmp
From: massimo.ferrario () INFORETI IT (Massimo Ferrario)
Date: Thu, 9 Mar 2000 19:15:44 +0100
Hi. For more than one month my server has been hit almost every day by snmp traffic apparently coming from a RIPE host: the IP is always 193.0.1.180. The traffic is detected by portsentry, that find 2/3 packets per IP per day: in portsentry logs i find: Mar 7 21:32:57 server portsentry[628]: attackalert: UDP scan from host: 193.0.1.180/193.0.1.180 to UDP port: 161 The time of the 'scan' varies: usually it is around 20:00 CET (GMT+1) but I found events at 23, 00, 01, 04 ... I notified RIPE, and Andrea Galantini answered me
This scan did not originate in our network, it has most likely come from a host spoofing this address [193.0.1.180]. As the only benefit we can see to doing this would be to make it appear to you that RIPE NCC were responsible for the scanning we are remaining vigilant. We would be very glad if you could provide us with a (small part) of the router logentries. Can you also let your upstream ISP know that you see these problems and ask them for source and destination addresses in their router logs.
I have no access to my router logs as the router is proporty of my upstrem ISP, which doesn't provide them :-( I have installed tcpdump and tried to get more info about the traffic: I used a filter to only catch udp packets on port snmp coming from 193.0.1.180 (tonite I will try to grab all traffic from that host) This is what I can see from the dump: a small 'burst' of snmp requests #tcpdump -r mydump -v 20:04:09.347849 < 193.0.1.180.1033 > ftp.inforeti.it.snmp: |30|2a|02|01SNMPv1 |04|06|a0|1dGetRequest (29)|02|01|02|01|02|01|30|12 |30|10|06|0cE:hp.2.4.3.10.6.0|05|00 (ttl 12, id 34517) 20:04:09.799948 < 193.0.1.180.1033 > www.inforeti.it.snmp: |30|2a|02|01SNMPv1 |04|06|a0|1dGetRequest(29)|02|01|02|01|02|01|30|12 |30|10|06|0cE:hp.2.4.3.10.6.0|05|00 (ttl 10, id 34773) 20:04:09.810112 < 193.0.1.180.1033 > bart.inforeti.it.snmp: |30|2a|02|01SNMPv1 |04|06|a0|1dGetRequest(29)|02|01|02|01|02|01|30|12 |30|10|06|0cE:hp.2.4.3.10.6.0|05|00 (ttl 10, id 35285) 20:04:09.894969 P 193.0.1.180.1033 > proxy.inforeti.it.snmp: |30|2a|02|01SNMPv1 04|06|a0|1dGetRequest(29)|02|01|02|01|02|01|30|12 |30|10|06|0cE:hp.2.4.3.10.6.0|05|00 (ttl 4, id 34261) 20:04:09.990615 P 193.0.1.180.1033 > mail.inforeti.it.snmp: |30|2a|02|01SNMPv1 |04|06|a0|1dGetRequest(29)|02|01|02|01|02|01|30|12 |30|10|06|0cE:hp.2.4.3.10.6.0|05|00 (ttl 4, id 38357) 20:04:10.000492 P 193.0.1.180.1033 > 194.243.103.183.snmp: |30|2a|02|01SNMPv1 |04|06|a0|1dGetRequest(29)|02|01|02|01|02|01|30|12 |30|10|06|0cE:hp.2.4.3.10.6.0|05|00 (ttl 2, id 34005) [...] Does anyone gets any hint out of this 'trace'? Ciao --------------------------------------- Massimo Ferrario Inforeti snc via Pellizzo, 39 - 35100 Padova (Italy) http://www.inforeti.it
Current thread:
- snmp Massimo Ferrario (Mar 09)