Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange SNMP probes suddenly appearing

From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 02 Dec 2003 21:23:05 -0500
Originally, (I) Jeff Kell wrote:
Starting yesterday afternoon, I had a local student lab machine that was attempting to SNMP query our core router (it's default gateway), and due to a misconfiguration on the access-layer switch, I couldn't shut the port down, so I simply ACL'ed the address to Null. It was sending queries every 10-15 seconds (somewhat irregularly). It was a Windows machine (answered nbtscan) and nmap only revealed a NetBIOS port open, nothing else. Suspecting a proxy, I scanned the PIX logs for the last 24 hours and there was absolutely no traffic registered to/from the internet, and no active NAT xlate slot either.
After finally getting an ethereal trace of traffic from the faulty address (a machine using an Apple Airport) I found the following:
The first packet is an SNMP query directed to the router, community name 'public', and attempts to read 3 MIBs: 
  SNMPv2-MIB::sysName.0
  SNMPv2-MIB::sysLocation.0
  SNMPv2-MIB::sysDescr.0
Almost immediately afterward is a UDP packet from that machine to the router on port udp/192. It contains 4 bytes of text, 0x08 0x01 0x03 0x10.
This is very near a duplicate of some wireless dialogue I have found (that were exploitable), for example:
"One thing I've noticed while using the built in firewall in Mac OS X ...Airport does some strange things when you access the configuration panel ...
I see two sets of *UDP **port* scans from the Airport to my Powerbook ... one 
from *port **192* (which is allocated to Karlsbridge - the software that
actually is running in the Airport) and another set of scans from the *SNMP
**port*. If my firewall blocks the traffic, I get almost the same symptoms as 
you ... everything works but you can't access the Airport to configure it.
I posted a question to Apple and never got an answer. Maybe I will try Ohio
State Univ (that's where the software came from originally).
So, "something" is amiss here. I'm just not sure I understand it all. But we have the symptoms nailed down, we'll have to see about the cure. 
Does this ring any bells with anyone that is AirPort knowledgeable?
Since these were "rogue installs" by the department, they look like they
would be great clay pigeons for skeet shooting, but perhaps they can be
more productive.

Jeff Kell


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: