Re: Strange SNMP probes suddenly appearing

From: Jeff Kell (jeff-kell_at_utc.edu)
Date: 12/03/03

  • Next message: Schmehl, Paul L: "RE: Anyone seen tgcmd.exe before?" 
    Date: Tue, 02 Dec 2003 21:23:05 -0500
To: Jeff Kell <jeff-kell@utc.edu>

    Originally, (I) Jeff Kell wrote:
    > Starting yesterday afternoon, I had a local student lab machine that was
    > attempting to SNMP query our core router (it's default gateway), and due
    > to a misconfiguration on the access-layer switch, I couldn't shut the
    > port down, so I simply ACL'ed the address to Null. It was sending
    > queries every 10-15 seconds (somewhat irregularly). It was a Windows
    > machine (answered nbtscan) and nmap only revealed a NetBIOS port open,
    > nothing else. Suspecting a proxy, I scanned the PIX logs for the last
    > 24 hours and there was absolutely no traffic registered to/from the
    > internet, and no active NAT xlate slot either.

    After finally getting an ethereal trace of traffic from the faulty
    address (a machine using an Apple Airport) I found the following:

    The first packet is an SNMP query directed to the router, community name
    'public', and attempts to read 3 MIBs:
       SNMPv2-MIB::sysName.0
       SNMPv2-MIB::sysLocation.0
       SNMPv2-MIB::sysDescr.0

    Almost immediately afterward is a UDP packet from that machine to the
    router on port udp/192. It contains 4 bytes of text, 0x08 0x01 0x03 0x10.

    This is very near a duplicate of some wireless dialogue I have found
    (that were exploitable), for example:

    "One thing I've noticed while using the built in firewall in Mac OS X
    ...Airport does some strange things when you access the configuration
    panel ...

    I see two sets of *UDP **port* scans from the Airport to my Powerbook
    ... one
    from *port **192* (which is allocated to Karlsbridge - the software that
    actually is running in the Airport) and another set of scans from the *SNMP
    **port*. If my firewall blocks the traffic, I get almost the same
    symptoms as
    you ... everything works but you can't access the Airport to configure it.
    I posted a question to Apple and never got an answer. Maybe I will try Ohio
    State Univ (that's where the software came from originally).

    So, "something" is amiss here. I'm just not sure I understand it all.
    But we have the symptoms nailed down, we'll have to see about the cure.
    Does this ring any bells with anyone that is AirPort knowledgeable?
    Since these were "rogue installs" by the department, they look like they
    would be great clay pigeons for skeet shooting, but perhaps they can be
    more productive.

    Jeff Kell

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Schmehl, Paul L: "RE: Anyone seen tgcmd.exe before?"

    Relevant Pages

    • Strange SNMP probes suddenly appearing
      ... attempting to SNMP query our core router, ... port down, so I simply ACL'ed the address to Null. ... It was a Windows ... and we zapped the port the Airport was using. ...
      (Incidents)
    • Re: Strange SNMP probes suddenly appearing
      ... I had a local student lab machine that was ... >> attempting to SNMP query our core router, ... >address (a machine using an Apple Airport) I found the following: ...
      (Incidents)