Re: SNMP attempts every 10 minutes

["Ivan ." <ivanhec () gmail com>]

you need to go to the workstation and have a poke around, using tools
like fport from foundstone

http://www.foundstone.com/us/resources/proddesc/fport.htm

you should be able to isolate what is generating the traffic from the box.

cheers
Ivan

On Jan 15, 2008 11:08 AM, k7 fantr <k7.fantr () gmail com> wrote:
> - The switch logs indicate that IP x is failing to authenticate to it
> (the switch).
> - The IP x is a Windows 2000 workstation
> - I do not know what is causing the attempt (trap or get) and I am not
> sure how I could tell the difference via the logs:
> "%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host
> x.x.x.x (x.y.com)"
> - I can not find any logs indicating anything regarding snmp on the workstation
> - I can re-create the same error message if I do a snmp-walk from my workstation
>
> Ultimately I am wondering if I am out of my mind to demand that due to
> the suspicious behavior, and the inability to determine what it IS,
> this workstation should be removed from the network and investigated
> rather than left on the network until proved that it is something to
> worry about.
>
> and also if any knows of malicious code that behaves in this specific manner?
>
> I hope this adds a little clarity.. thanks for the follow ups
>
>
>
>
> On Jan 14, 2008 5:43 PM, Ivan . <ivanhec () gmail com> wrote:
> > Is it a SNMP-trap or SNMP-get request? There is a difference and your
> > email isn't clear.
> >
> > SNMP-trap is sent by a device to a SNMP server
> >
> > SNMP-get is a read request from a SNMP poller to a device
> >
> > http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm
> >
> > I assume you mean a device is polling (SNMP-get) your core switch, and
> > it does not have the correct auth string. You should be able to
> > isolate the IP of the poller and they track down the box. It could be
> > a linux box running some "snmp-walk" requests.
> >
> > cheers
> > Ivan
> >
> >
> > On 11 Jan 2008 20:33:27 -0000, <k7.fantr () gmail com> wrote:
> > > There is a machine on our network that is trying and failing to authenticate with the snmp trap on our core 
> > > switch every 10 minutes. I can not seem to isolate what is making the requests. Based on scans that I have run, 
> > > there is no know malware (nothing detected anyway). No services running appear to stop the requests after being 
> > > turned turned off, and after installing a host based firewall and reviewing the logs, as well as running 
> > > wireshark and reviewing a 2 hour capture, I can not seem to pin point anything making requests to that switch at 
> > > all. It is the only machine on the network of about 900 that is doing this.
> > >
> > >
> > > I want the machine removed so that I can investigate further, but I am getting resistance from the IT Manager and 
> > > support (no time.. not necessary..). Has anybody seen this before? Am I wrong to want this removed?
> > >
> > >
> > > Thanks in advance.