Re: Strange SNMP probes suddenly appearing

From: Tijl DULLERS (Tijl.DULLERS_at_dhl.com)
Date: 11/25/03

  • Next message: David Gillett: "RE: Strange SNMP probes suddenly appearing"
    Date: Tue, 25 Nov 2003 13:24:53 +0100
    To: Jeff Kell <jeff-kell@utc.edu>
    
    
    

    Hi ,

    I would not worry too much. It's been a while since I played with those
    Airport Basestations but I still remember that they can be configured
    solely using SNMP. So the configuration software uses snmp gets and sets
    to read and update the config.

    I can also imagine that the Airport client software ( drivers + maybe
    some config tools ) are trying to do SNMP gets once in a while to
    retrieve information from their basestations ?

    Hope this helps.

    Best Regards,

    Tijl

    Jeff Kell wrote:

    > Starting yesterday afternoon, I had a local student lab machine that
    > was attempting to SNMP query our core router (it's default gateway),
    > and due to a misconfiguration on the access-layer switch, I couldn't
    > shut the port down, so I simply ACL'ed the address to Null. It was
    > sending queries every 10-15 seconds (somewhat irregularly). It was a
    > Windows machine (answered nbtscan) and nmap only revealed a NetBIOS
    > port open, nothing else. Suspecting a proxy, I scanned the PIX logs
    > for the last 24 hours and there was absolutely no traffic registered
    > to/from the internet, and no active NAT xlate slot either.
    >
    > This morning, another machine in a different building and subnet
    > started roughly the same thing. I was able to isolate this one at the
    > access layer and shut it down, but not before scanning it -- not
    > Windows, but a Macintosh, with no even remotely interesting ports.
    >
    > I received a call from a professor in the building, and turns out he
    > had setup (unbeknownst to us) some Apple Airport access points in the
    > building, and we zapped the port the Airport was using. He also
    > reported another Airport was down, and checking history it was
    > shutdown for Nachi (so it was Windows) but he could not identify
    > either the IP or Mac address of that incident.
    >
    > After requesting that he make his Airports a closed SSID with a
    > non-trivial password, I brought both ports back up. Kaboom, it
    > started again. And another machine (in yet ANOTHER building) joined
    > in briefly, then disappeared, and a new machine with a different IP
    > started in.
    >
    > I then turned the original problem address back on (removed ACL) and
    > kaboom, it started again. So now there were five incidents. Three
    > known to be coming from Airport clients, one strongly suspected of
    > also being an Airport client, and the last we have no clue. We had 2
    > Windows, 2 Macintosh, and 1 unknown.
    >
    > I then headed off to the known Airport problem, found the associated
    > access point, hooked in a cheap hub inline and plugged in a Linux
    > laptop with ethereal. But the only capture now was irrelevant (IGMP
    > group advertisements) - the SNMP had stopped. A watched pot never boils.
    >
    > Is this ringing a bell with anyone? I'm stumped. It isn't coming
    > from the internet (we do strict ingress/egress anti-spoofing on every
    > subnet and at the border router). Doesn't seem like a virus since
    > whatever it
    > is has demonstrated itself to be cross-platform. The Airport is
    > strongly suspected (we did find one of the offending machines, and it
    > was a faculty Mac laptop not doing anything fishy when I got there).
    >
    > Jeff Kell
    > Univ of Tennessee at Chattanooga
    >
    >
    > ---------------------------------------------------------------------------
    >
    > ----------------------------------------------------------------------------
    >
    >

    
    



  • Next message: David Gillett: "RE: Strange SNMP probes suddenly appearing"