Security Incidents mailing list archives
Re: Trojan attacking our switches
From: Kris Saw <kris () devastate org>
Date: Fri, 21 Mar 2003 23:37:18 +0100
Check section 8 of your manual for SNMP configuration options, Check section 7-30 of your management and configuration guide for "IP Authorized Managers" this will allow you to lock down management access to the switch using host masks. Unfortunately, the only way to complete disable SNMP is to turn off all IP based management.
you can get the latest manual here: ftp://ftp.hp.com/pub/networking/software/59692354.pdf Its also a good idea to update the firmware fix this: http://www.cert.org/advisories/CA-2002-03.html Latest firmware can be found here: http://www.hp.com/rnd/software/switches.htm /kris Charles Polisher wrote:
Search of CVE and securityfocus and googlingdid not turn up adequate information. Anyone seen this beast? Our campus network has a couple of thousand hosts, and 93 switches. Telnetting into our HP Procurve 2524 switch shows an ongoing attempt to brute-force the SNMP community (public, of course). HP apparentlydoes not provide a method for disbling SNMP, and we're going to have to visit all 93 switches in person to set a strong password -- yes, it had been left blank! PCdoorguard 3 virus scanner identified a virus, "f*ck door server", but provides littleuseful information other than pointing to \windows\system\setdefed.exe which is 24,576 bytes.Thanks, Charles Polisher ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Trojan attacking our switches Charles Polisher (Mar 21)
- Re: Trojan attacking our switches dreamwvr () dreamwvr com (Mar 21)
- Re: Trojan attacking our switches Mike Hoskins (Mar 21)
- Re: Trojan attacking our switches Kris Saw (Mar 22)