RE: SNMP Weirdness

From: James C Slora Jr (Jim.Slora@phra.com)
Date: 01/23/03

  • Next message: Smith, Donald : "RE: SNMP Weirdness" 
    From: "James C Slora Jr" <Jim.Slora@phra.com>
To: "'Keith Pachulski'" <keithp@corp.ptd.net>
Date: Thu, 23 Jan 2003 15:00:26 -0500

    Keith Pachulski wrote Monday, January 20, 2003 14:10

    > Has anyone seen this behavior, if so care to share the details

    This won't be much help, but here is what I have. I've seen one similar
    ASN.1 alert in the past few days. The probe hit just one host out of a Class
    C - it did not use a broadcast address like yours did. The probe was against
    a mail server.

    01/18/03-18:18:19.542110 217.207.57.98:27194 -> justonehost:161
    UDP TTL:108 TOS:0x0 ID:23131 IpLen:20 DgmLen:265
    Len: 245
    (Payload snipped - it was identical to yours)

    Trigger for the alert - dgmlen 265 is greater than the packet length 245.

    IP Address: 217.207.57.98
    HostName: mail.city-cab.org.uk
    descr: City Of London Citizens Advice Bureau

    That host generated similar probes to more than a thousand other systems
    that day, so I suspect it was a compromised host being used to attack
    others.

    Nothing followed this single probe, so I have no further details about it.

    > I orginally saw these from an internal firewall, after
    > setting up a snort to grab the traffic I logged the following:
    >
    > [**] weirdness ensues [**]
    > 01/20-13:46:27.084888 X.X.X.26:1697 -> 192.0.0.192:161
    > UDP TTL:128 TOS:0x0 ID:22091 IpLen:20 DgmLen:265
    > Len: 245
    > 30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81 0.......public..
    > DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06 ..........0..0..
    > 07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06 .+........0...+.
    > 01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01 .......0...+....
    > 01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01 ....0...+.......
    > 06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01 ...0...+........
    > 05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03 ..0...+.........
    > 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01 ..0...+.........
    > 01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+.......
    > 09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+.....
    > 02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04 ........0...+...
    > 01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06 ..........0...+.
    > 01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B ...........0...+
    > 06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B ............0...
    > 2B 06 01 04 01 0B 02 04 03 0D 01 05 00 +............
    >
    > I have a few internal machines sending the same queries to
    > the same address.
    >
    > Name:
    > 192.0.0.0-is-used-for-printservices-discovery----illegally.iana.net
    > Address: 192.0.0.192

    Broadcast for print services would be an easy way for a worm to find
    vulnerable hosts, since so many unpatched print servers have SNMP
    vulnerabilities.

    One explanation could be a print services discovery tool, but I think this
    is hostile and crafted traffic because the dgmlen 265 is greater than the
    packet length 245.

    The PROTOS test suite makes use of this type of broadcast address to quickly
    sweep a network. Since the packets are UDP, it would not be hard to spoof
    multiple source addresses to mask the true attack source.
    http://www.cert.org/advisories/CA-2002-03.html
    http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise110

    I guess the key here is the responses that are being sent back to the
    originating addresses, and the followup traffic.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • Re: SourceFire RNA
      ... So the active probe actually did its job well. ... >>system that relied solely on this information for vulnerability management. ... > If the patch was properly applied, ... Also, if a host changes ...
      (Focus-IDS)
    • Re: ARP request retransmitting
      ... Address Resolution Protocol (ARP) is the means by which a host or router ... ARP broadcasts are flooded to all ports on a switch. ... and partially process the broadcast frames. ...
      (freebsd-arch)
    • Re: single host netmask (255.255.255.255)
      ... The routes from three interfaces, propagate via OSPF to the rest of network.... ... One way is to remember IP addresses assigned to each interfaces, but more smart solution is to assign to this machine one EXTERNAL LOOPBACK address (single IP with mask 255.255.255.255, in other words SINGLE HOST assigned to Microsoft loopback adapter), and propagate this address ... The address 255.255.255.255 denotes a broadcast on a local hardware network, ...
      (microsoft.public.win2000.networking)
    • Re: Should I configure a firewall to allow multicast?
      ... firewall is blocking various hosts to 192.168.1.255 port 138. ... network running from 192.168.1.0 through 192.168.1.255 which would ... broadcast address - received by every host on the subnet. ...
      (comp.security.firewalls)
    • Re: New Internet Webcasting Software Idea
      ... >>one's host for the audio could switch any second of the broadcast if ... >>that host doesn't become available. ... The fan listening to the audio ...
      (comp.os.linux.development.apps)