Security Incidents mailing list archives
Re: New scanning tool?
From: Wozz <wozz+incidents () WOOKIE NET>
Date: Fri, 23 Mar 2001 22:38:07 -0700
On Fri, Mar 23, 2001 at 12:48:07PM -0500, Portnoy, Gary wrote:
Hey there, In the last two days I noticed a peculiar scan with a signature i had not encoutered before. This scan seems to be a combination SNMP/NBT scan. Strange combination, I know. Maybe somebody knows what it is. First thing is a ping sweep, and at the same time a UDP packet to port 161 to all the addresses. Now, the machines that respond to the ping, get a subsequent UDP packet to port 137. The SNMP packet is resent 2 more times every 5 seconds in the first instance I encountered. The SNMP packet is resent 6 times in the second scan with this pattern: 2 second pause, 4 second pause, 2 second pause, 4 second pause, etc. Unfortunately SNORT didn't capture anything, I wish portscan plugin could log packets to a file, so I don't know what the SNMP string was, or what was the payload in the NBT packet...
not sure of the exact tool, but it sounds like a runaway windows based snmp tool, like SNMPc or SolarWinds.
Current thread:
- New scanning tool? Portnoy, Gary (Mar 23)
- Re: New scanning tool? Wozz (Mar 23)