SNMP Weirdness

From: Keith Pachulski (keithp@corp.ptd.net)
Date: 01/20/03

  • Next message: pj@esec.dk: "Re: mIRC Zombie, port 445" 
    Date: Mon, 20 Jan 2003 14:10:15 -0500
From: "Keith Pachulski" <keithp@corp.ptd.net>
To: <isc@incidents.org>

    Has anyone seen this behavior, if so care to share the details

    I orginally saw these from an internal firewall, after setting up a snort to grab the traffic I logged the following:

    [**] weirdness ensues [**]
    01/20-13:46:27.084888 X.X.X.26:1697 -> 192.0.0.192:161
    UDP TTL:128 TOS:0x0 ID:22091 IpLen:20 DgmLen:265
    Len: 245
    30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81 0.......public..
    DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06 ..........0..0..
    07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06 .+........0...+.
    01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01 .......0...+....
    01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01 ....0...+.......
    06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01 ...0...+........
    05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03 ..0...+.........
    05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01 ..0...+.........
    01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+.......
    09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+.....
    02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04 ........0...+...
    01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06 ..........0...+.
    01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B ...........0...+
    06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B ............0...
    2B 06 01 04 01 0B 02 04 03 0D 01 05 00 +............

    I have a few internal machines sending the same queries to the same address.

    Name: 192.0.0.0-is-used-for-printservices-discovery----illegally.iana.net
    Address: 192.0.0.192

    |Keith A. Pachulski, PPS, GCIH, GCFW | IATFF Member| InfraGard Member|
    |PenTeleData/Prolog Internet Services | Network Security Engineer|
    |Phone: (800) 281-3564 x 2454 | Pager: 8884414569@page.metrocall.com|
    |6B56 C8DC 6201 6D1A BFF5 5799 E193 ABAA 9549 74D0|
    |"In God We Trust - - - All Others We Monitor"|
    |--- United States Navy Intelligence|

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • Re: "Four" to 4
      ... This has been done countless times in the last few decads and you should be ... able to find examples on the Internet. ... Fergus Cooney (whatever happened to him Cor?) and me along with a few ... completed set of functions near the end of the thread so you shouldn't grab ...
      (microsoft.public.dotnet.languages.vb)
    • Re: HARD CANDY (DVD)
      ... made on the internet. ... have it grab you like this one. ... haven't you ever heard of spoiler warnings? ...
      (rec.arts.movies.current-films)
    • Re: Geranular Linux
      ... you know where the repository ... If you can't find an Ethernet cable, then grab a USB thumb-drive, and grab the driver you need from an PC with internet connection, then transfer the file onto your PC. ... As we enjoy great advantages from inventions of others, ...
      (alt.os.linux)
    • Re: Get images with MSHTML library in Visual Basic 6.0
      ... > then get the binary data from the HTMLDocument object. ... you can then use the Internet*() API calls to go and grab that file. ...
      (microsoft.public.vb.general.discussion)
    • Re: Getting the entire Internet Explorer history
      ... "Leslie Houk" wrote in message ... what would the code look like to grab the entire ... > contents of Internet Explorer's history? ...
      (microsoft.public.scripting.vbscript)