Firewall Wizards mailing list archives
Re: Port scans to UDP 161 (SNMP)
From: "H. Morrow Long" <morrow.long () yale edu>
Date: Fri, 22 May 1998 09:06:03 -0400
I have seen this before as a result of HP JetDirect and Windows 95/NT HP printer driver s/w on PCs going into 'subnet search' mode looking for HP printers with JetDirect cards. If the user is running with HPJetAdmin or HP network printer driver software installed on the notebook PC you might want to try the fix on page: http://web.mit.edu/network/hpfix/
Subject: Port scans to UDP 161 (SNMP) Date: Thu, 21 May 1998 16:30:51 -0400 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Hello, Has anyone seen this before? I have been getting UDP (161/SNMP) port scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from certain IP #s. The most recent events happened 6 times over the past 5 days (all from the same IP). The user of that IP has a laptop w/ Win-95(B?) running FrontPage-98 and IE-4.01; they also have AOL-(something), Office-97, Outlook-98, Project-98. Although they use DHCP (in a Win-95/Win-NT shop), it seems that this machine has always gotten the same IP#. The user seems to have been using the machine during each scan. The UDP source port seems to stay in the range 1030-1035 (for this and previous scans from other locations). I don't have a dump of the incomming packets, just a log that they were dropped. Any info greatly appreciated. Thanks, Max --- Max Euston <meuston () jmrodgers com>
H. Morrow Long Information Security Office (203)432-1248(VOICE) Yale University (203)432-0593(FAX) INET: http://www.yale.edu/its/security mailto:information.security () yale edu PAGE: (203)370-3081, (800)347-2574, mailto:1165469 () pager mcb com PIN# 1165469 PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C 4D 7C 22 56 80 BA 84 09
Current thread:
- Port scans to UDP 161 (SNMP) Max Euston (May 21)
- Re: Port scans to UDP 161 (SNMP) M. Dodge Mumford (May 22)
- Log analysis tools Technical Incursion Countermeasures (May 22)
- Re: Port scans to UDP 161 (SNMP) Mookie (May 22)
- Re: Port scans to UDP 161 (SNMP) Michael (May 22)
- <Possible follow-ups>
- Re: Port scans to UDP 161 (SNMP) Steve Bellovin (May 22)
- Re: Port scans to UDP 161 (SNMP) H. Morrow Long (May 22)
- RE: Port scans to UDP 161 (SNMP) Max Euston (May 28)