Security Incidents mailing list archives

Re: Trojan attacking our switches

From: Kris Saw <kris () devastate org>
Date: Fri, 21 Mar 2003 23:37:18 +0100

Check section 8 of your manual for SNMP configuration options, Checksection 7-30 of your management and configuration guide for "IPAuthorized Managers" this will allow you to lock down management accessto the switch using host masks. Unfortunately, the only way to completedisable SNMP is to turn off all IP based management.


you can get the latest manual here:

ftp://ftp.hp.com/pub/networking/software/59692354.pdf

Its also a good idea to update the firmware fix this:

http://www.cert.org/advisories/CA-2002-03.html

Latest firmware can be found here:

http://www.hp.com/rnd/software/switches.htm

/kris

Charles Polisher wrote:

Search of CVE and securityfocus and googling
did not turn up adequate information. Anyoneseen this beast?Our campus network has a couple of thousand hosts,and 93 switches.Telnetting into our HP Procurve 2524 switchshows an ongoing attempt to brute-force theSNMP community (public, of course). HP apparently
does not provide a method for disbling SNMP, and
we're going to have to visit all 93 switches
in person to set a strong password -- yes, it had
been left blank!

PCdoorguard 3 virus scanner identified a
virus, "f*ck door server", but provides little
useful information other than pointing to\windows\system\setdefed.exe which is 24,576 bytes.
Thanks,
Charles Polisher

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>




----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Trojan attacking our switches Charles Polisher (Mar 21)
- Re: Trojan attacking our switches dreamwvr () dreamwvr com (Mar 21)
- Re: Trojan attacking our switches Mike Hoskins (Mar 21)
- Re: Trojan attacking our switches Kris Saw (Mar 22)