Security Incidents mailing list archives

SNMP Scans 02/17/02

From: Peter Johnson <pjohnson () securityflaw com>
Date: Sun, 17 Feb 2002 22:23:09 -0600

Just saw this in my portscan log (via snort) and decided to share with
the community so we can figure out who is scanning with what tools and
for what purpose(investigative or malicious).

Seems like they scan my 5 IP block 3 times

Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.50:161 UDP
Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.52:161 UDP
Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.53:161 UDP
Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.54:161 UDP
Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.55:161 UDP
Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.51:161 UDP
Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.50:161 UDP
Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.55:161 UDP
Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.54:161 UDP
Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.52:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.53:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.54:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.55:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.50:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.51:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.52:161 UDP
=======================================================
I have some generic snmp rules to catch all SNMP scans/probes.

Here is a sample packet that got

[**] SNMP/udp public access [**]
02/17-20:21:06.412571 0:A0:C5:E5:F6:93 -> 0:10:5A:F:34:B1 type:0x800
len:0x61
67.113.159.146:1504 -> X.X.X.50:161 UDP TTL:114 TOS:0x0 ID:55265
IpLen:20 DgmLen:83 Len: 63
30 35 02 01 00 04 06 70 75 62 6C 69 63 A1 28 02  05.....public.(.
04 3C 69 F1 B9 02 01 00 02 01 00 30 1A 30 0B 06  .<i........0.0..
07 2B 06 01 02 01 01 02 05 00 30 0B 06 07 2B 06  .+........0...+.
01 02 01 01 01 05 00                             .......

Every packet looks exactly the same.
Wonder if this is the SANS snmp scanning tool?
======================================================================
Name:    adsl-67-113-159-146.dsl.sntc01.pacbell.net
Address:  67.113.159.146

George S Granados (NETBLK-SBC-06711315914429)
    San Francisco, Ca 94104
    US

    Netname: SBC-06711315914429
    Netblock: 67.113.159.144 - 67.113.159.151

Coordinator:
       Pacific Bell Internet  (PIA2-ORG-ARIN)  ip-admin () PBI NET
       888-212-5411

Seems like ol pacbell gives info on who they give IP blocks to! ;)

Do you think we should be reporting snmp scans to ISPs
or just a waste of time?
==================================================================

Peter
--
Peter E. Johnson
Securityflaw
http://www.securityflaw.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

SNMP Scans 02/17/02 Peter Johnson (Feb 18)
- Re: SNMP Scans 02/17/02 Security Coordinator (Feb 20)
  - Re: SNMP Scans 02/17/02 Valdis . Kletnieks (Feb 22)
  - RE: SNMP Scans 02/17/02 Tyrannis Von Nettesheim (Feb 22)
  - Re: SNMP Scans 02/17/02 Eric Brandwine (Feb 22)
- Re: SNMP Scans 02/17/02 Dan Terhesiu (Feb 20)
  - Re: SNMP Scans 02/17/02 Peter Johnson (Feb 20)
- <Possible follow-ups>
- RE: SNMP Scans 02/17/02 Dmitri Smirnov (Feb 23)
  - Re: SNMP Scans 02/17/02 Eric Brandwine (Feb 24)