Security Incidents mailing list archives

Re: SNMP search for printers?

From: exon <exon () home se>
Date: Wed, 18 Jun 2003 17:28:46 +0200 (CEST)

Some printers allow remote telnet control (Xerox, mainly, running Solaris
8 I think), and all of those come with root password left blank.
An attacker can then install sniffers and whatnot on the printer, which
happily runs on with practically no slowdown.

Also, network connected fax machines can be used to send faxes from
remote locations, and guess who gets to pay the bill...

Check your printers/faxes manuals to see if they are susceptible.

/Andy


On Tue, 17 Jun 2003, Aaron Cheek wrote:

All,

One of my class Cs got SNMP scanned, and wanted to ask
you what the purpose of this scan you think it might
be:

80.200.243.104.1152 > mynet.161:  GetRequest(25)
..1.3.6.1.4.1.641[|snmp]

(Apparently an ADSL user at Belgium -
104.243-200-80.adsl-fix.skynet.be)

They tried different OIDs: .1.3.6.1.4.1.641 (Lexmark
International), .1.3.6.1.4.1.11.2 (Hewlett Packard),
..1.3.6.1.4.1.480 (QMS, Inc.), .1.3.6.1.2.1.43 (3Com).

All scans had src port 1152.

What I see in common here is printers. If so, what is
the purpose of massively scanning for printers?

Other people seeing this? Any ideas? Any known tool?

Aaron

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------



----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

SNMP search for printers? Aaron Cheek (Jun 17)
- Re: SNMP search for printers? Chris Reining (Jun 18)
- Re: SNMP search for printers? exon (Jun 18)
- <Possible follow-ups>
- SNMP search for printers? christian houle (Jun 18)
  - Re: SNMP search for printers? morning_wood (Jun 18)
- RE: SNMP search for printers? Dave Killion (Jun 18)
- RE: SNMP search for printers? Johnson, Greg (Jun 19)
  - Re: SNMP search for printers? Jeff Kell (Jun 19)