Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port scans to UDP 161 (SNMP)

From: "H. Morrow Long" <morrow.long () yale edu>
Date: Fri, 22 May 1998 09:06:03 -0400
I have seen this before as a result of HP JetDirect and Windows 95/NT
HP printer driver s/w on PCs going into 'subnet search' mode looking
for HP printers with JetDirect cards.

If the user is running with HPJetAdmin or HP network printer driver software
installed on the notebook PC you might want to try the fix on page:

        http://web.mit.edu/network/hpfix/


Subject: Port scans to UDP 161 (SNMP)
Date: Thu, 21 May 1998 16:30:51 -0400
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Hello,
      Has anyone seen this before?  I have been getting UDP (161/SNMP) port 
scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from 
certain IP #s.  The most recent events happened 6 times over the past 5 
days (all from the same IP).  The user of that IP has a laptop w/ 
Win-95(B?) running FrontPage-98 and IE-4.01; they also have 
AOL-(something), Office-97, Outlook-98, Project-98.  Although they use DHCP 
(in a Win-95/Win-NT shop), it seems that this machine has always gotten the 
same IP#.  The user seems to have been using the machine during each scan. 
The UDP source port seems to stay in the range 1030-1035 (for this and 
previous scans from other locations).  I don't have a dump of the incomming 
packets, just a log that they were dropped.

Any info greatly appreciated.

Thanks,

Max
---
Max Euston <meuston () jmrodgers com>


H. Morrow Long
Information Security Office            (203)432-1248(VOICE)
Yale University                        (203)432-0593(FAX)
INET: http://www.yale.edu/its/security mailto:information.security () yale edu
PAGE: (203)370-3081, (800)347-2574,    mailto:1165469 () pager mcb com PIN# 1165469
PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C  4D 7C 22 56 80 BA 84 09
Previous By Date Next
Previous By Thread Next

Current thread: