Security Incidents mailing list archives
Re: Strange SNMP probes suddenly appearing
From: <jcanaves () ucsd edu>
Date: 10 Dec 2003 23:31:30 -0000
In-Reply-To: <3FCD4909.5060605 () utc edu>
Originally, (I) Jeff Kell wrote:Starting yesterday afternoon, I had a local student lab machine that was attempting to SNMP query our core router (it's default gateway), and due to a misconfiguration on the access-layer switch, I couldn't shut the port down, so I simply ACL'ed the address to Null. It was sending queries every 10-15 seconds (somewhat irregularly). It was a Windows machine (answered nbtscan) and nmap only revealed a NetBIOS port open, nothing else. Suspecting a proxy, I scanned the PIX logs for the last 24 hours and there was absolutely no traffic registered to/from the internet, and no active NAT xlate slot either.After finally getting an ethereal trace of traffic from the faulty address (a machine using an Apple Airport) I found the following: The first packet is an SNMP query directed to the router, community name 'public', and attempts to read 3 MIBs: SNMPv2-MIB::sysName.0 SNMPv2-MIB::sysLocation.0 SNMPv2-MIB::sysDescr.0
I'm glad to hear that somebody experienced something similar to my three week nightmare. During the past 3 weeks my Cox@home service was disconnected due to several SNMP attacks against one of their Cox Business router originating from my IP address. After stopping SNMP in all my machines, scanning them for viruses and trojans, and increasing the security level of my firewall to the max, the problem still persisted. It did not ceased until I disconnected the Airport, but I am still in their blacklist and under 3 strike policy any other infraction could trigger the final cancellation of my high speed internet connection. Certainly, having that kid of BS going on is not a trivial issue. Jeff, in case you figure out what is exactly going on with the Airports, may you contact me at jcanaves () ucsd edu Thanks! Jaume --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Strange SNMP probes suddenly appearing Jeff Kell (Dec 03)
- <Possible follow-ups>
- Re: Strange SNMP probes suddenly appearing jcanaves (Dec 10)
- RE: Strange SNMP probes suddenly appearing Graeme Fowler (Dec 11)