Re: UDP to 161

[r.fulton () AUCKLAND AC NZ (Russell Fulton)]

On Thu, 10 Feb 2000 15:52:44 -0500 "CL: Nelson, Jeff"
<JNelson () CMCCONTROLS COM> wrote:

> Good day,
>
> Forgive me if this question is obvious or redundant. We have an established
> pattern of attempts and denials at our company in two incidents from two
> different IP addresses. Logs show this:
>
> Jan 26 08:41:55 [Firewall_IP] %PIX-2-106006: Deny inbound UDP from
> ForeignIP/1025 to OurEmailServer-Internal/161
> Jan 26 08:41:56 [BorderRouter_IP] 1031822: %SEC-6-IPACCESSLOGP: list 110
> permitted udp ForeignIP(1025) -> AnExternalOfOurs(161), 1 packet
>
> Can I be sure that 161, in this instance, is still SNMP? The connection to
> AnExternalOfOurs happens because it is outside our firewall. I figure
> somebody is probing to find out information for future attempts.

Yes, it will be snmp.  We see scans of /24 blocks fairly regularly and
often when I have reported them I have got back apologetic replies
saying "we just got this new network management package and {it was
broken, or we misconfigured it}".  We got caught with a package called
snmp5 a year or so back which started scaning all over the net (and not
just snmp). I still wonder if our lads picked up a trojanned version.
I saved a copy of it intending to run it on an isolated network with a
logger to see exactly what was going on but it never got to the top of
my priority stack.

Another source of snmp scans is old windows systems running jet direct
software, if you have the netmask wrong it does not seem to bother
windows networking but jet direct gets strange ideas about what its
'local network' is.  I have not seen this problem for a couple of years
now so I assume something got fixed or sanity checks added.

All this said, it still could be someone with malicious intent,
particularly if individual hosts are probed rather than systematic scan
of a whole network.

Cheers, Russell.