Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: possible slooow SNMP scan

From: Patrick Oonk <patrick () pine nl>
Date: Fri, 15 Feb 2002 10:34:53 +0100
On Thu, Feb 14, 2002 at 04:48:35PM -0600, Rich Puhek wrote:

Given the recent discussion on SNMP vulnerabilities, I decided to look
at my router logs this afternoon. I only found three drops on
connections to port 161 in today's logs, and I found four in
yesterday's. I did see an interesting correlation though. Sanitized logs
follow:

$ grep "list 100" /var/log/routers.log
Feb 14 14:35:44 <MYROUTER> 72458: 1w0d: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_ONE>.54(161), 1 packet
Feb 14 15:25:22 <MYROUTER> 72820: 1w0d: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_TWO>.54(161), 1 packet
Feb 14 15:29:27 <MYROUTER> 72843: 1w0d: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_THREE>.54(161), 1 packet
$ grep "list 100" /var/log/routers.log.0
Feb 13 07:18:17 <MYROUTER> 59882: 5d17h: %SEC-6-IPACCESSLOGP: list 100
denied udp OTHER_SOURCE(2955) -> <MY_NET_THREE>.208(161), 1 packet
Feb 14 05:43:24 <MYROUTER> 68696: 6d15h: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_ONE>.53(161), 1 packet
Feb 14 06:30:19 <MYROUTER> 68984: 6d16h: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_TWO>.53(161), 1 packet
Feb 14 06:34:04 <MYROUTER> 69004: 6d16h: %SEC-6-IPACCESSLOGP: list 100
denied udp <SOURCE>(2101) -> <MY_NET_THREE>.53(161), 1 packet

(times are local, UTC-6)

the <SOURCE> IP was the same in each case (somewhere out in Finland,
according to RIPE). The "MY_NET_ONE" is one of my networks, the
"MY_NET_TWO" is another one of my networks, and the "MY_NET_THREE" is a
third. A couple of observations of the networks involved:

1) The three networks were scanned in order (lowest number 1st).
2) I have additional netblocks that sit between "MY_NET_ONE" and
"MY_NET_TWO" that did not get connections attempted.
3) MY_NET_THREE is actually a /22. I don't know if the scanner realized
that it was not a class C, but they did not scan each /24 in the net.
4) I don't have any hosts (running SNMP or otherwise) on .53 or .54 on
any of the networks.
5) MY_NET_TWO and MY_NET_THREE are on the same /8, but MY_NET_ONE is on
a different /8 altogether.

Has anyone seen anything similar?

 
09:24:26.875060 ncc.fullcarecenter.com.2101 > 213.x.x.x.snmp: GetNextRequest(37)  system.sysDescr 
system.sysUpTime[|snmp]

(repeated many many times for many hosts in our network)

I already contacted them by email (and their upstream). When I got no
response I tried to call the but the security officer could not be
reached by phone. I the meanwhile I suggest to nullroute their subnet.

        Patrick

-- 
 patrick oonk - pine internet - patrick () pine nl - www.pine.nl/~patrick
 T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl 
 PGPID 155C3934  fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934  
 Excuse of the day: Groundskeepers stole the root password

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: