Security Incidents mailing list archives
Re: Assistance regarding network scans
From: "Forrester, Mike" <mforrester () HSACORP NET>
Date: Mon, 7 Aug 2000 16:05:00 -0600
What you are seeing is SNMP traffic (specifically SNMP 'traps'). This is the port used for receiving SNMP traps which are usually error or notification messages sent by the SNMP agent running on the source system. It's probably a misconfigured SNMP agent. It is a bit odd that your IP addresses are completely different, but their NOC could be on a range that is very close. Are you using an SNMP manager (CiscoWorks, HP Openview, etc) on this system? If so then someone could be trying some sort of exploit or DoS. If not, are you running SNMP on these systems? Check Services on NT and /etc/rc3.d/ (on 2.7) or /etc/rc2.d (<2.7?). Someone might have picked it up and someone is playing around with SNMP. In either case, I'd notify the registered owner of the source IP and see if they are aware of the problem. The IP could also be spoofed, but I'd talk to them anyway. HTH, Mike Forrester - Systems Security Engineer High Speed Access Corp. - Denver, CO USA mforrester () hsacorp net - +1 303 256 2002 -----Original Message----- From: Steve Lum [mailto:steve () US-NETREALITY COM] Sent: Monday, August 07, 2000 10:18 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Assistance regarding network scans hello all, For the last couple of days, a specific host (63.194.140.131) has been scanning my IP addresses on my network. They seem to be trying to connect to port 162. The computers they are trying to connect to seem to be focused on two computers. One NT Server and a Solaris workstation. I've attached a small part of my log file to the bottom so you can see more clearly whats going on. The remote host is gw-sjo1.sc.philips.com Has anyone seen this sort of behavior before? And i'm not sure what is the next action to take regarding this situation. 08-06-2000 23:24:50 list 120 denied udp 63.194.140.131(691) -> 207.217.9.x(162), 1 packet 08-06-2000 23:25:51 list 120 denied udp 63.194.140.131(705) -> 207.217.9.x(162), 1 packet 08-06-2000 23:26:51 list 120 denied udp 63.194.140.131(717) -> 207.217.9.y(162), 1 packet 08-06-2000 23:27:52 list 120 denied udp 63.194.140.131(727) -> 207.217.9.x(162), 1 packet 08-06-2000 23:28:53 list 120 denied udp 63.194.140.131(739) -> 207.217.9.x(162), 1 packet 08-06-2000 23:29:54 list 120 denied udp 63.194.140.131(750) -> 207.217.9.x(162), 1 packet 08-06-2000 23:30:55 list 120 denied udp 63.194.140.131(761) -> 207.217.9.x(162), 1 packet 08-06-2000 23:31:55 list 120 denied udp 63.194.140.131(770) -> 207.217.9.x(162), 1 packet 08-06-2000 23:32:56 list 120 denied udp 63.194.140.131(786) -> 207.217.9.x(162), 1 packet 08-06-2000 23:33:57 list 120 denied udp 63.194.140.131(795) -> 207.217.9.x(162), 1 packet 08-06-2000 23:34:58 list 120 denied udp 63.194.140.131(806) -> 207.217.9.x(162), 1 packet 08-06-2000 23:35:58 list 120 denied udp 63.194.140.131(820) -> 207.217.9.x(162), 1 packet 08-06-2000 23:36:59 list 120 denied udp 63.194.140.131(834) -> 207.217.9.x(162), 1 packet 08-06-2000 23:38:00 list 120 denied udp 63.194.140.131(843) -> 207.217.9.x(162), 1 packet 08-06-2000 23:39:00 list 120 denied udp 63.194.140.131(854) -> 207.217.9.x(162), 1 packet 08-06-2000 23:40:01 list 120 denied udp 63.194.140.131(866) -> 207.217.9.x(162), 1 packet 08-06-2000 23:41:02 list 120 denied udp 63.194.140.131(880) -> 207.217.9.x(162), 1 packet 08-06-2000 23:42:03 list 120 denied udp 63.194.140.131(889) -> 207.217.9.x(162), 1 packet 08-06-2000 23:43:04 list 120 denied udp 63.194.140.131(898) -> 207.217.9.x(162), 1 packet any help is greatly appreciated, steve
Current thread:
- Assistance regarding network scans Steve Lum (Aug 07)
- Re: Assistance regarding network scans Bill Pennington (Aug 08)
- <Possible follow-ups>
- Re: Assistance regarding network scans Forrester, Mike (Aug 08)