Security Incidents mailing list archives
RE: SNMP worm?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 27 Oct 2005 09:07:15 -0700
Thanks to everyone who responded. Under further investigation, the sources turn out to be two machines used by a single individual employee, and one machine in an isolated lab not connected to the main network. (The latter was initially over-reported by the lab supervisor.) My initial fear that we were on the brink of an outbreak does not appear to have been realized. The employee works in a department which operates various power, water, HVAC, etc systems. We're checking into the possibility that they have a new/demo program to monitor that equipment. However, all such equipment lives on its own private VLAN, and any traffic relating to it ought to be pointed there. What we were seeing was traffic on our main user VLAN: unicast traffic targeting specific network infrastructure equipment (possibly part of a sweep of the whole address range), and broadcast traffic to the whole VLAN. And unfortunately we have a few legacy pieces of equipment that found this difficult to handle; some recovered on their own, some didn't(!). Checking specifically for other SNMP traffic has uncovered a couple of interesting anomalies. Most of it is clearly workstations monitoring the status of nearby printers -- although in one case it appears that a visitor is trying to monitor a printer at their usual location, hundreds of miles away. (Since we block SNMP at our borders, this isn't actually working....) But a couple of machines seem to be regularly polling specific target addresses (one per source) in unpopulated regions of our address space. Harmless so far as I can tell, but definitely odd. Again, thanks for the assist. David Gillett
Current thread:
- RE: SNMP worm? Robert MacDonald (Oct 26)
- RE: SNMP worm? Frank Knobbe (Oct 27)
- RE: SNMP worm? David Gillett (Oct 27)
- <Possible follow-ups>
- Re: RE: SNMP worm? hein (Oct 27)