Security Incidents mailing list archives
RE: SNMP Weirdness
From: "Smith, Donald " <Donald.Smith () qwest com>
Date: Thu, 23 Jan 2003 12:30:12 -0700
I think your close. But suspect the hp jetdirect admin software. It can be used to query the network looking for hp jetdirect cards that have not been configured. Donald.Smith () qwest com GCIA QIS/WWN Security http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint: 9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
-----Original Message----- From: Michael Roberts [mailto:mroberts () hrmc org] Sent: Thursday, January 23, 2003 11:17 AM To: keithp () corp ptd net; isc () incidents org Cc: incidents () securityfocus com Subject: Re: SNMP Weirdness I believe this traffic is being generated by a Hewlett Packard JetDirect. The ones I have used are programmed with this IP address as the factory default and I have also seem them generate SNMP traffic as well. Just an education guess, but at least somewhere you can start. Michael Roberts, MCNE, MCSA, CCA Director of Network Services Consolidated Health Systems Highlands Regional Medical Center"Keith Pachulski" <keithp () corp ptd net> 01/20/03 02:10PM >>>Has anyone seen this behavior, if so care to share the details I orginally saw these from an internal firewall, after setting up a snort to grab the traffic I logged the following: [**] weirdness ensues [**] 01/20-13:46:27.084888 X.X.X.26:1697 -> 192.0.0.192:161 UDP TTL:128 TOS:0x0 ID:22091 IpLen:20 DgmLen:265 Len: 245 30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81 0.......public.. DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06 ..........0..0.. 07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06 .+........0...+. 01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01 .......0...+.... 01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01 ....0...+....... 06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01 ...0...+........ 05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03 ..0...+......... 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01 ..0...+......... 01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+....... 09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+..... 02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04 ........0...+... 01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06 ..........0...+. 01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B ...........0...+ 06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B ............0... 2B 06 01 04 01 0B 02 04 03 0D 01 05 00 +............ I have a few internal machines sending the same queries to the same address. Name: 192.0.0.0-is-used-for-printservices-discovery----illegally.iana.net Address: 192.0.0.192 |Keith A. Pachulski, PPS, GCIH, GCFW | IATFF Member| InfraGard Member| |PenTeleData/Prolog Internet Services | Network Security Engineer| |Phone: (800) 281-3564 x 2454 | Pager: 8884414569 () page metrocall com| |6B56 C8DC 6201 6D1A BFF5 5799 E193 ABAA 9549 74D0| |"In God We Trust - - - All Others We Monitor"| |--- United States Navy Intelligence| -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SNMP Weirdness Keith Pachulski (Jan 23)
- Message not available
- Re: SNMP Weirdness Carlo Ottaviani (Jan 27)
- Message not available
- <Possible follow-ups>
- Re: SNMP Weirdness Michael Roberts (Jan 25)
- RE: SNMP Weirdness Smith, Donald (Jan 25)