Firewall Wizards mailing list archives

Port scans to UDP 161 (SNMP)

From: Max Euston <meuston () jmrodgers com>
Date: Thu, 21 May 1998 16:30:51 -0400

Hello,
        Has anyone seen this before?  I have been getting UDP (161/SNMP) port 
scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from 
certain IP #s.  The most recent events happened 6 times over the past 5 
days (all from the same IP).  The user of that IP has a laptop w/ 
Win-95(B?) running FrontPage-98 and IE-4.01; they also have 
AOL-(something), Office-97, Outlook-98, Project-98.  Although they use DHCP 
(in a Win-95/Win-NT shop), it seems that this machine has always gotten the 
same IP#.  The user seems to have been using the machine during each scan. 
 The UDP source port seems to stay in the range 1030-1035 (for this and 
previous scans from other locations).  I don't have a dump of the incomming 
packets, just a log that they were dropped.

Any info greatly appreciated.

Thanks,

Max
---
Max Euston <meuston () jmrodgers com>

Current thread:

Port scans to UDP 161 (SNMP) Max Euston (May 21)
- Re: Port scans to UDP 161 (SNMP) M. Dodge Mumford (May 22)
- Log analysis tools Technical Incursion Countermeasures (May 22)
- Re: Port scans to UDP 161 (SNMP) Mookie (May 22)
- Re: Port scans to UDP 161 (SNMP) Michael (May 22)
- <Possible follow-ups>
- Re: Port scans to UDP 161 (SNMP) Steve Bellovin (May 22)
- Re: Port scans to UDP 161 (SNMP) H. Morrow Long (May 22)
- RE: Port scans to UDP 161 (SNMP) Max Euston (May 28)