RE: Strange SNMP probes suddenly appearing

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 11/21/03

  • Next message: Bill McCarty: "Re: Chunked encoding worm on tcp/80" 
    To: "'Jeff Kell'" <jeff-kell@utc.edu>, "'General DShield Discussion List'" <list@dshield.org>, "'Incidents'" <incidents@securityfocus.com>
Date: Fri, 21 Nov 2003 08:56:56 -0800

      Some of the HP JetDirect client/drivers, especially older versions
    with default configs, like to scan their world using SNMP and query
    anything that will take a connection to learn if it is a printer.
    We have a few of them on our campus; we *hope* that non-obvious
    community names are keeping our network equipment from spending much
    time or effort talking to these clients.

      The handful of "unauthorized" airports that I know about don't
    seem to attract nearly as many virus-infested clients as the public
    (secured) ones....

    Dave Gillett

    > -----Original Message-----
    > From: Jeff Kell [mailto:jeff-kell@utc.edu]
    > Sent: November 20, 2003 19:06
    > To: General DShield Discussion List; Incidents
    > Subject: Strange SNMP probes suddenly appearing
    >
    >
    > Starting yesterday afternoon, I had a local student lab
    > machine that was
    > attempting to SNMP query our core router (it's default
    > gateway), and due
    > to a misconfiguration on the access-layer switch, I couldn't shut the
    > port down, so I simply ACL'ed the address to Null. It was sending
    > queries every 10-15 seconds (somewhat irregularly). It was a Windows
    > machine (answered nbtscan) and nmap only revealed a NetBIOS
    > port open,
    > nothing else. Suspecting a proxy, I scanned the PIX logs for
    > the last
    > 24 hours and there was absolutely no traffic registered to/from the
    > internet, and no active NAT xlate slot either.
    >
    > This morning, another machine in a different building and
    > subnet started
    > roughly the same thing. I was able to isolate this one at the access
    > layer and shut it down, but not before scanning it -- not
    > Windows, but a
    > Macintosh, with no even remotely interesting ports.
    >
    > I received a call from a professor in the building, and turns
    > out he had
    > setup (unbeknownst to us) some Apple Airport access points in the
    > building, and we zapped the port the Airport was using. He also
    > reported another Airport was down, and checking history it
    > was shutdown
    > for Nachi (so it was Windows) but he could not identify
    > either the IP or
    > Mac address of that incident.
    >
    > After requesting that he make his Airports a closed SSID with a
    > non-trivial password, I brought both ports back up. Kaboom,
    > it started
    > again. And another machine (in yet ANOTHER building) joined
    > in briefly,
    > then disappeared, and a new machine with a different IP started in.
    >
    > I then turned the original problem address back on (removed ACL) and
    > kaboom, it started again. So now there were five incidents. Three
    > known to be coming from Airport clients, one strongly
    > suspected of also
    > being an Airport client, and the last we have no clue. We had 2
    > Windows, 2 Macintosh, and 1 unknown.
    >
    > I then headed off to the known Airport problem, found the associated
    > access point, hooked in a cheap hub inline and plugged in a
    > Linux laptop
    > with ethereal. But the only capture now was irrelevant (IGMP group
    > advertisements) - the SNMP had stopped. A watched pot never boils.
    >
    > Is this ringing a bell with anyone? I'm stumped. It isn't
    > coming from
    > the internet (we do strict ingress/egress anti-spoofing on
    > every subnet
    > and at the border router). Doesn't seem like a virus since
    > whatever it
    > is has demonstrated itself to be cross-platform. The Airport is
    > strongly suspected (we did find one of the offending machines, and it
    > was a faculty Mac laptop not doing anything fishy when I got there).
    >
    > Jeff Kell
    > Univ of Tennessee at Chattanooga
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > --------------
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Bill McCarty: "Re: Chunked encoding worm on tcp/80"

    Relevant Pages

    • Re: Strange SNMP probes suddenly appearing
      ... Airport Basestations but I still remember that they can be configured ... So the configuration software uses snmp gets and sets ... to read and update the config. ... > shut the port down, so I simply ACL'ed the address to Null. ...
      (Incidents)
    • Re: Mac mit zwei Ethernetkarten als Router
      ... habe hier einen Powermac G4 mit zwei Ethernetports. ... Daran wiederum ein Airport ... und der vom Provider draussen. ... Die kabelgebundenen Clients funktionieren prima. ...
      (de.comp.sys.mac.internet)
    • Re: Windows Komponete SNMP installieren
      ... das dort der SNMP-Agent läuft. ... Ich frag also von meinem Rechner die SNMP - Werte des Clients am. ... Die meisten Programme ...
      (microsoft.public.de.german.entwickler.dotnet.csharp)
    • Mac mit zwei Ethernetkarten als Router
      ... habe hier einen Powermac G4 mit zwei Ethernetports. ... Daran wiederum ein Airport Extreme und mehrere Clients. ... Der DNS ist 192.168.2.1 und der vom Provider draussen. ...
      (de.comp.sys.mac.internet)
    • Cisco wireless access points: snmp query for number of clients
      ... getting information from our wireless access points via SNMP. ... with number of clients). ... full of Cisco MIB files, ...
      (comp.dcom.sys.cisco)