Security Incidents mailing list archives
Re: possible slooow SNMP scan
From: Patrick Oonk <patrick () pine nl>
Date: Fri, 15 Feb 2002 10:34:53 +0100
On Thu, Feb 14, 2002 at 04:48:35PM -0600, Rich Puhek wrote:
Given the recent discussion on SNMP vulnerabilities, I decided to look at my router logs this afternoon. I only found three drops on connections to port 161 in today's logs, and I found four in yesterday's. I did see an interesting correlation though. Sanitized logs follow: $ grep "list 100" /var/log/routers.log Feb 14 14:35:44 <MYROUTER> 72458: 1w0d: %SEC-6-IPACCESSLOGP: list 100 denied udp <SOURCE>(2101) -> <MY_NET_ONE>.54(161), 1 packet Feb 14 15:25:22 <MYROUTER> 72820: 1w0d: %SEC-6-IPACCESSLOGP: list 100 denied udp <SOURCE>(2101) -> <MY_NET_TWO>.54(161), 1 packet Feb 14 15:29:27 <MYROUTER> 72843: 1w0d: %SEC-6-IPACCESSLOGP: list 100 denied udp <SOURCE>(2101) -> <MY_NET_THREE>.54(161), 1 packet $ grep "list 100" /var/log/routers.log.0 Feb 13 07:18:17 <MYROUTER> 59882: 5d17h: %SEC-6-IPACCESSLOGP: list 100 denied udp OTHER_SOURCE(2955) -> <MY_NET_THREE>.208(161), 1 packet Feb 14 05:43:24 <MYROUTER> 68696: 6d15h: %SEC-6-IPACCESSLOGP: list 100 denied udp <SOURCE>(2101) -> <MY_NET_ONE>.53(161), 1 packet Feb 14 06:30:19 <MYROUTER> 68984: 6d16h: %SEC-6-IPACCESSLOGP: list 100 denied udp <SOURCE>(2101) -> <MY_NET_TWO>.53(161), 1 packet Feb 14 06:34:04 <MYROUTER> 69004: 6d16h: %SEC-6-IPACCESSLOGP: list 100 denied udp <SOURCE>(2101) -> <MY_NET_THREE>.53(161), 1 packet (times are local, UTC-6) the <SOURCE> IP was the same in each case (somewhere out in Finland, according to RIPE). The "MY_NET_ONE" is one of my networks, the "MY_NET_TWO" is another one of my networks, and the "MY_NET_THREE" is a third. A couple of observations of the networks involved: 1) The three networks were scanned in order (lowest number 1st). 2) I have additional netblocks that sit between "MY_NET_ONE" and "MY_NET_TWO" that did not get connections attempted. 3) MY_NET_THREE is actually a /22. I don't know if the scanner realized that it was not a class C, but they did not scan each /24 in the net. 4) I don't have any hosts (running SNMP or otherwise) on .53 or .54 on any of the networks. 5) MY_NET_TWO and MY_NET_THREE are on the same /8, but MY_NET_ONE is on a different /8 altogether. Has anyone seen anything similar?
09:24:26.875060 ncc.fullcarecenter.com.2101 > 213.x.x.x.snmp: GetNextRequest(37) system.sysDescr system.sysUpTime[|snmp] (repeated many many times for many hosts in our network) I already contacted them by email (and their upstream). When I got no response I tried to call the but the security officer could not be reached by phone. I the meanwhile I suggest to nullroute their subnet. Patrick -- patrick oonk - pine internet - patrick () pine nl - www.pine.nl/~patrick T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF 2F64 A65C 42AE 155C 3934 Excuse of the day: Groundskeepers stole the root password ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- possible slooow SNMP scan Rich Puhek (Feb 14)
- Re: possible slooow SNMP scan Patrick Oonk (Feb 15)