RE: Strange SNMP probes suddenly appearing

["David Gillett" <gillettdavid () fhda edu>]

  Some of the HP JetDirect client/drivers, especially older versions
with default configs, like to scan their world using SNMP and query
anything that will take a connection to learn if it is a printer.
We have a few of them on our campus; we *hope* that non-obvious
community names are keeping our network equipment from spending much
time or effort talking to these clients.

  The handful of "unauthorized" airports that I know about don't
seem to attract nearly as many virus-infested clients as the public
(secured) ones....

Dave Gillett


> -----Original Message-----
> From: Jeff Kell [mailto:jeff-kell () utc edu]
> Sent: November 20, 2003 19:06
> To: General DShield Discussion List; Incidents
> Subject: Strange SNMP probes suddenly appearing
>
>
> Starting yesterday afternoon, I had a local student lab 
> machine that was 
> attempting to SNMP query our core router (it's default 
> gateway), and due 
> to a misconfiguration on the access-layer switch, I couldn't shut the 
> port down, so I simply ACL'ed the address to Null.  It was sending 
> queries every 10-15 seconds (somewhat irregularly).  It was a Windows 
> machine (answered nbtscan) and nmap only revealed a NetBIOS 
> port open, 
> nothing else.  Suspecting a proxy, I scanned the PIX logs for 
> the last 
> 24 hours and there was absolutely no traffic registered to/from the 
> internet, and no active NAT xlate slot either.
>
> This morning, another machine in a different building and 
> subnet started 
> roughly the same thing.  I was able to isolate this one at the access 
> layer and shut it down, but not before scanning it -- not 
> Windows, but a 
> Macintosh, with no even remotely interesting ports.
>
> I received a call from a professor in the building, and turns 
> out he had 
> setup (unbeknownst to us) some Apple Airport access points in the 
> building, and we zapped the port the Airport was using.  He also 
> reported another Airport was down, and checking history it 
> was shutdown 
> for Nachi (so it was Windows) but he could not identify 
> either the IP or 
> Mac address of that incident.
>
> After requesting that he make his Airports a closed SSID with a 
> non-trivial password, I brought both ports back up.  Kaboom, 
> it started 
> again.  And another machine (in yet ANOTHER building) joined 
> in briefly, 
> then disappeared, and a new machine with a different IP started in.
>
> I then turned the original problem address back on (removed ACL) and 
> kaboom, it started again.  So now there were five incidents.  Three 
> known to be coming from Airport clients, one strongly 
> suspected of also 
> being an Airport client, and the last we have no clue.  We had 2 
> Windows, 2 Macintosh, and 1 unknown.
>
> I then headed off to the known Airport problem, found the associated 
> access point, hooked in a cheap hub inline and plugged in a 
> Linux laptop 
> with ethereal.  But the only capture now was irrelevant (IGMP group 
> advertisements) - the SNMP had stopped.  A watched pot never boils.
>
> Is this ringing a bell with anyone?  I'm stumped.  It isn't 
> coming from 
> the internet (we do strict ingress/egress anti-spoofing on 
> every subnet 
> and at the border router).  Doesn't seem like a virus since 
> whatever it
> is has demonstrated itself to be cross-platform.  The Airport is 
> strongly suspected (we did find one of the offending machines, and it 
> was a faculty Mac laptop not doing anything fishy when I got there).
>
> Jeff Kell
> Univ of Tennessee at Chattanooga
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------