Re: Assistance regarding network scans

["Forrester, Mike" <mforrester () HSACORP NET>]

What you are seeing is SNMP traffic (specifically SNMP 'traps').  This is
the port used for receiving SNMP traps which are usually error or
notification messages sent by the SNMP agent running on the source system.
It's probably a misconfigured SNMP agent.  It is a bit odd that your IP
addresses are completely different, but their NOC could be on a range that
is very close.  Are you using an SNMP manager (CiscoWorks, HP Openview, etc)
on this system?  If so then someone could be trying some sort of exploit or
DoS.

If not, are you running SNMP on these systems?  Check Services on NT and
/etc/rc3.d/ (on 2.7) or /etc/rc2.d (<2.7?).  Someone might have picked it up
and someone is playing around with SNMP.

In either case, I'd notify the registered owner of the source IP and see if
they are aware of the problem.  The IP could also be spoofed, but I'd talk
to them anyway.

HTH,

Mike Forrester - Systems Security Engineer
High Speed Access Corp. - Denver, CO USA
mforrester () hsacorp net - +1 303 256 2002

-----Original Message-----
From: Steve Lum [mailto:steve () US-NETREALITY COM]
Sent: Monday, August 07, 2000 10:18 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Assistance regarding network scans


hello all,

        For the last couple of days, a specific host (63.194.140.131) has
been
scanning my IP addresses on my network. They seem to be trying to connect to
port 162. The computers they are trying to connect to seem to be focused on
two computers. One NT Server and a Solaris workstation. I've attached a
small part of my log file to the bottom so you can see more clearly whats
going on. The remote host is gw-sjo1.sc.philips.com
Has anyone seen this sort of behavior before? And i'm not sure what is the
next action to take regarding this situation.

08-06-2000      23:24:50        list 120 denied udp 63.194.140.131(691) ->
207.217.9.x(162), 1 packet
08-06-2000      23:25:51        list 120 denied udp 63.194.140.131(705) ->
207.217.9.x(162), 1 packet
08-06-2000      23:26:51        list 120 denied udp 63.194.140.131(717) ->
207.217.9.y(162), 1 packet
08-06-2000      23:27:52        list 120 denied udp 63.194.140.131(727) ->
207.217.9.x(162), 1 packet
08-06-2000      23:28:53        list 120 denied udp 63.194.140.131(739) ->
207.217.9.x(162), 1 packet
08-06-2000      23:29:54        list 120 denied udp 63.194.140.131(750) ->
207.217.9.x(162), 1 packet
08-06-2000      23:30:55        list 120 denied udp 63.194.140.131(761) ->
207.217.9.x(162), 1 packet
08-06-2000      23:31:55        list 120 denied udp 63.194.140.131(770) ->
207.217.9.x(162), 1 packet
08-06-2000      23:32:56        list 120 denied udp 63.194.140.131(786) ->
207.217.9.x(162), 1 packet
08-06-2000      23:33:57        list 120 denied udp 63.194.140.131(795) ->
207.217.9.x(162), 1 packet
08-06-2000      23:34:58        list 120 denied udp 63.194.140.131(806) ->
207.217.9.x(162), 1 packet
08-06-2000      23:35:58        list 120 denied udp 63.194.140.131(820) ->
207.217.9.x(162), 1 packet
08-06-2000      23:36:59        list 120 denied udp 63.194.140.131(834) ->
207.217.9.x(162), 1 packet
08-06-2000      23:38:00        list 120 denied udp 63.194.140.131(843) ->
207.217.9.x(162), 1 packet
08-06-2000      23:39:00        list 120 denied udp 63.194.140.131(854) ->
207.217.9.x(162), 1 packet
08-06-2000      23:40:01        list 120 denied udp 63.194.140.131(866) ->
207.217.9.x(162), 1 packet
08-06-2000      23:41:02        list 120 denied udp 63.194.140.131(880) ->
207.217.9.x(162), 1 packet
08-06-2000      23:42:03        list 120 denied udp 63.194.140.131(889) ->
207.217.9.x(162), 1 packet
08-06-2000      23:43:04        list 120 denied udp 63.194.140.131(898) ->
207.217.9.x(162), 1 packet



any help is greatly appreciated,


steve