Security Incidents mailing list archives

Re: Trojan attacking our switches

From: Mike Hoskins <mike () adept org>
Date: Fri, 21 Mar 2003 12:21:59 -0800 (PST)

On Thu, 20 Mar 2003, Charles Polisher wrote:

Search of CVE and securityfocus and googling
did not turn up adequate information. Anyone
seen this beast?


wrt SNMP vulnerabilities (seems relevant):

http://www.cert.org/advisories/CA-2002-03.html

Telnetting into our HP Procurve 2524 switch
shows an ongoing attempt to brute-force the
SNMP community (public, of course). HP apparently
does not provide a method for disbling SNMP, and
we're going to have to visit all 93 switches
in person to set a strong password -- yes, it had
been left blank!


SNMP should be setn to a VLAN/management interface.  Can you ACL the
interface to only allow SNMP from trusted hosts?  Also, I assume you only
allow telnet from your management network.

-mrh


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Trojan attacking our switches Charles Polisher (Mar 21)
- Re: Trojan attacking our switches dreamwvr () dreamwvr com (Mar 21)
- Re: Trojan attacking our switches Mike Hoskins (Mar 21)
- Re: Trojan attacking our switches Kris Saw (Mar 22)