Security Incidents mailing list archives
Re: UDP to 161
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Wed, 16 Feb 2000 09:41:45 +1300
On Thu, 10 Feb 2000 15:52:44 -0500 "CL: Nelson, Jeff" <JNelson () CMCCONTROLS COM> wrote:
Good day, Forgive me if this question is obvious or redundant. We have an established pattern of attempts and denials at our company in two incidents from two different IP addresses. Logs show this: Jan 26 08:41:55 [Firewall_IP] %PIX-2-106006: Deny inbound UDP from ForeignIP/1025 to OurEmailServer-Internal/161 Jan 26 08:41:56 [BorderRouter_IP] 1031822: %SEC-6-IPACCESSLOGP: list 110 permitted udp ForeignIP(1025) -> AnExternalOfOurs(161), 1 packet Can I be sure that 161, in this instance, is still SNMP? The connection to AnExternalOfOurs happens because it is outside our firewall. I figure somebody is probing to find out information for future attempts.
Yes, it will be snmp. We see scans of /24 blocks fairly regularly and often when I have reported them I have got back apologetic replies saying "we just got this new network management package and {it was broken, or we misconfigured it}". We got caught with a package called snmp5 a year or so back which started scaning all over the net (and not just snmp). I still wonder if our lads picked up a trojanned version. I saved a copy of it intending to run it on an isolated network with a logger to see exactly what was going on but it never got to the top of my priority stack. Another source of snmp scans is old windows systems running jet direct software, if you have the netmask wrong it does not seem to bother windows networking but jet direct gets strange ideas about what its 'local network' is. I have not seen this problem for a couple of years now so I assume something got fixed or sanity checks added. All this said, it still could be someone with malicious intent, particularly if individual hosts are probed rather than systematic scan of a whole network. Cheers, Russell.
Current thread:
- Re: SSH2 Exploit?, (continued)
- Re: SSH2 Exploit? Jonathan A. Zdziarski (Feb 11)
- Re: SSH2 Exploit? Thiago/c0nd0r (Feb 11)
- Re: SSH2 Exploit? Mike Tancsa (Feb 15)
- Re: SSH2 Exploit? //Stany (Feb 16)
- Re: SSH2 Exploit? sysadmin (Feb 16)
- AdForce hitting odd ports Rick Tortorella (Feb 11)
- UDP to 161 CL: Nelson, Jeff (Feb 10)
- Re: UDP to 161 Pavel Kankovsky (Feb 15)
- Re: UDP to 161 Ryan Russell (Feb 15)
- Re: UDP to 161 CyberPsychotic (Feb 16)
- Re: UDP to 161 Russell Fulton (Feb 15)
- Re: Private networks and home.{net|com} Andy Smith (Feb 09)
- massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)
- Re: massive unapproved AXFR's and odd rcvd NOTIFY's Francis A. Vidal (Feb 09)
- [UPDATE]Dos Trojan on Solaris Roderick Padilla (Feb 09)
- Re: [UPDATE]Dos Trojan on Solaris Ross Mueller (Feb 09)
- a very strange scan Boris Badenov (Feb 09)
- Re: a very strange scan Russell Fulton (Feb 10)
- Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
- Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
- Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)