Security Incidents mailing list archives
RE: SNMP worm?
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 27 Oct 2005 03:07:01 -0500
On Wed, 2005-10-26 at 21:52 -0400, Robert MacDonald wrote:
None here (yet). Possible a contractor or vendor showing off network solution-wares? Does it appear to be polling sequentially or randomly? Is it looking through particular subnets? Is it possibly a new printer(s) that have been plugged in or gone wild?
Another possibility is a misconfigured network management station. I remember one incident in the past where a certain subnet got routinely scanned from one particular box, which was named like "netmon.noc.company.com". We notified the contact of that domain and kept an eye on it. Eventually the flood stopped, so perhaps someone noticed that a netmask was entered wrong :) What was that saying about not attributing malice to something that can be explained with stupidity? :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: SNMP worm? Robert MacDonald (Oct 26)
- RE: SNMP worm? Frank Knobbe (Oct 27)
- RE: SNMP worm? David Gillett (Oct 27)
- <Possible follow-ups>
- Re: RE: SNMP worm? hein (Oct 27)