Re: Strange SNMP probes suddenly appearing

["Tijl DULLERS" <Tijl.DULLERS () dhl com>]

Hi ,

I would not worry too much. It's been a while since I played with those 
Airport Basestations but I still remember that they can be configured 
solely using SNMP. So the configuration software uses snmp gets and sets 
to read and update the config.

I can also imagine that the Airport client software ( drivers + maybe 
some config tools ) are trying to do SNMP gets once in a while to 
retrieve information from their basestations ?

Hope this helps.

Best Regards,

Tijl


Jeff Kell wrote:

> Starting yesterday afternoon, I had a local student lab machine that 
> was attempting to SNMP query our core router (it's default gateway), 
> and due to a misconfiguration on the access-layer switch, I couldn't 
> shut the port down, so I simply ACL'ed the address to Null.  It was 
> sending queries every 10-15 seconds (somewhat irregularly).  It was a 
> Windows machine (answered nbtscan) and nmap only revealed a NetBIOS 
> port open, nothing else.  Suspecting a proxy, I scanned the PIX logs 
> for the last 24 hours and there was absolutely no traffic registered 
> to/from the internet, and no active NAT xlate slot either.
>
> This morning, another machine in a different building and subnet 
> started roughly the same thing.  I was able to isolate this one at the 
> access layer and shut it down, but not before scanning it -- not 
> Windows, but a Macintosh, with no even remotely interesting ports.
>
> I received a call from a professor in the building, and turns out he 
> had setup (unbeknownst to us) some Apple Airport access points in the 
> building, and we zapped the port the Airport was using.  He also 
> reported another Airport was down, and checking history it was 
> shutdown for Nachi (so it was Windows) but he could not identify 
> either the IP or Mac address of that incident.
>
> After requesting that he make his Airports a closed SSID with a 
> non-trivial password, I brought both ports back up.  Kaboom, it 
> started again.  And another machine (in yet ANOTHER building) joined 
> in briefly, then disappeared, and a new machine with a different IP 
> started in.
>
> I then turned the original problem address back on (removed ACL) and 
> kaboom, it started again.  So now there were five incidents.  Three 
> known to be coming from Airport clients, one strongly suspected of 
> also being an Airport client, and the last we have no clue.  We had 2 
> Windows, 2 Macintosh, and 1 unknown.
>
> I then headed off to the known Airport problem, found the associated 
> access point, hooked in a cheap hub inline and plugged in a Linux 
> laptop with ethereal.  But the only capture now was irrelevant (IGMP 
> group advertisements) - the SNMP had stopped.  A watched pot never boils.
>
> Is this ringing a bell with anyone?  I'm stumped.  It isn't coming 
> from the internet (we do strict ingress/egress anti-spoofing on every 
> subnet and at the border router).  Doesn't seem like a virus since 
> whatever it
> is has demonstrated itself to be cross-platform.  The Airport is 
> strongly suspected (we did find one of the offending machines, and it 
> was a faculty Mac laptop not doing anything fishy when I got there).
>
> Jeff Kell
> Univ of Tennessee at Chattanooga
>
>
> --------------------------------------------------------------------------- 
>
> ----------------------------------------------------------------------------

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature