Re: Strange SNMP probes suddenly appearing

From: Tijl DULLERS (Tijl.DULLERS_at_dhl.com)
Date: 11/25/03

  • Next message: David Gillett: "RE: Strange SNMP probes suddenly appearing"
    Date: Tue, 25 Nov 2003 13:24:53 +0100
    To: Jeff Kell <jeff-kell@utc.edu>
    
    
    

    Hi ,

    I would not worry too much. It's been a while since I played with those
    Airport Basestations but I still remember that they can be configured
    solely using SNMP. So the configuration software uses snmp gets and sets
    to read and update the config.

    I can also imagine that the Airport client software ( drivers + maybe
    some config tools ) are trying to do SNMP gets once in a while to
    retrieve information from their basestations ?

    Hope this helps.

    Best Regards,

    Tijl

    Jeff Kell wrote:

    > Starting yesterday afternoon, I had a local student lab machine that
    > was attempting to SNMP query our core router (it's default gateway),
    > and due to a misconfiguration on the access-layer switch, I couldn't
    > shut the port down, so I simply ACL'ed the address to Null. It was
    > sending queries every 10-15 seconds (somewhat irregularly). It was a
    > Windows machine (answered nbtscan) and nmap only revealed a NetBIOS
    > port open, nothing else. Suspecting a proxy, I scanned the PIX logs
    > for the last 24 hours and there was absolutely no traffic registered
    > to/from the internet, and no active NAT xlate slot either.
    >
    > This morning, another machine in a different building and subnet
    > started roughly the same thing. I was able to isolate this one at the
    > access layer and shut it down, but not before scanning it -- not
    > Windows, but a Macintosh, with no even remotely interesting ports.
    >
    > I received a call from a professor in the building, and turns out he
    > had setup (unbeknownst to us) some Apple Airport access points in the
    > building, and we zapped the port the Airport was using. He also
    > reported another Airport was down, and checking history it was
    > shutdown for Nachi (so it was Windows) but he could not identify
    > either the IP or Mac address of that incident.
    >
    > After requesting that he make his Airports a closed SSID with a
    > non-trivial password, I brought both ports back up. Kaboom, it
    > started again. And another machine (in yet ANOTHER building) joined
    > in briefly, then disappeared, and a new machine with a different IP
    > started in.
    >
    > I then turned the original problem address back on (removed ACL) and
    > kaboom, it started again. So now there were five incidents. Three
    > known to be coming from Airport clients, one strongly suspected of
    > also being an Airport client, and the last we have no clue. We had 2
    > Windows, 2 Macintosh, and 1 unknown.
    >
    > I then headed off to the known Airport problem, found the associated
    > access point, hooked in a cheap hub inline and plugged in a Linux
    > laptop with ethereal. But the only capture now was irrelevant (IGMP
    > group advertisements) - the SNMP had stopped. A watched pot never boils.
    >
    > Is this ringing a bell with anyone? I'm stumped. It isn't coming
    > from the internet (we do strict ingress/egress anti-spoofing on every
    > subnet and at the border router). Doesn't seem like a virus since
    > whatever it
    > is has demonstrated itself to be cross-platform. The Airport is
    > strongly suspected (we did find one of the offending machines, and it
    > was a faculty Mac laptop not doing anything fishy when I got there).
    >
    > Jeff Kell
    > Univ of Tennessee at Chattanooga
    >
    >
    > ---------------------------------------------------------------------------
    >
    > ----------------------------------------------------------------------------
    >
    >

    
    



  • Next message: David Gillett: "RE: Strange SNMP probes suddenly appearing"

    Relevant Pages

    • RE: Strange SNMP probes suddenly appearing
      ... like to scan their world using SNMP and query ... time or effort talking to these clients. ... > port down, so I simply ACL'ed the address to Null. ... and we zapped the port the Airport was using. ...
      (Incidents)
    • Re: Hold fire on that update chaps....
      ... USB disk hanging off the USB slot of his Airport. ... supported config, and now not a working config :-( ...
      (uk.comp.sys.mac)
    • Re: Alternative to Airport Base Station
      ... > reasonably cheap alternative to an Airport Base Station? ... £90ish config just as your airport base station. ... i assume you have a adsl router just non wireless yes? ... or get a wireless router so removing the need ...
      (uk.comp.sys.mac)
    • Re: Do we, as a group, just suck?
      ... Great story about Washougal Washington, when the airport went to something ... The powers that were in the Port made up a bunch of new rules to be able to ...
      (rec.aviation.piloting)
    • Re: Network question : all Macs or none connect to the Net - why ?
      ... > duplicate the airport port nor to create a new one. ... >>> I am using private Network IP's 10.0.1.xxx with manually defined IP's ... all other Macs also get disconnected. ...
      (comp.sys.mac.misc)