Re: SNMP Scans

[Omar Herrera <oherrera () PRODIGY NET MX>]

H Carvey wrote:

> > Did anyone else catch what this guy was looking
>
> for? Any other increases in
>
> > SNMP scans or exploit attempts?
>
>
> Did you happen to catch any scans for port 2301,
> as well?  Compaq is a big player in the server
> market, and that's an issue with the push for ASP
> by a lot of companies.  Compaq ships their Win2K
> servers w/ the Compaq stuff installed...Insight
> Manager, particularly, which uses SNMP.  My
> experience has shown of the past couple of months
> that the community strings are left default.
>
> The httpd for the Insight Manager runs on port
> 2301...
>
> Carv
By the way, I found many NT proliant servers with this admin. tool
installed, during an audit, were vulnerable. More precisely, the web
server (some versions) on which this admin. tool runs allowed anyone to
retrieve files from directories distinct from those on which the admin.
tool files reside (well know vulnearbility in ancient versions of some
web servers).

Just try something like http://web.server.com:2301\..\..\..\windows\win.ini

In the case of this audit, the problem was more complex because this
administration  tool is installed by default in many Compaq's servers,
the company who bought these servers were not familiar with Compaq
admin. tools and the reseller who installed these servers just 'forgot'
to tell the client about it. So they almost get these machines connected
to the internet with wide open holes accessible from the outside.

(Side note: as noted above, not all versions of the web server were
vulnerable, I can't recall the specific version numbers but nessus
detected the vulnerable servers easily, I suppose that any other decent
vulnerability scanner, open source or commercial will detect this as well).

Omar