Re: Strange SNMP probes suddenly appearing

jcanaves_at_ucsd.edu
Date: 12/11/03

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Strange services.exe file" 
    Date: 10 Dec 2003 23:31:30 -0000
To: incidents@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <3FCD4909.5060605@utc.edu>

    >Originally, (I) Jeff Kell wrote:
    >> Starting yesterday afternoon, I had a local student lab machine that was
    >> attempting to SNMP query our core router (it's default gateway), and due
    >> to a misconfiguration on the access-layer switch, I couldn't shut the
    >> port down, so I simply ACL'ed the address to Null. It was sending
    >> queries every 10-15 seconds (somewhat irregularly). It was a Windows
    >> machine (answered nbtscan) and nmap only revealed a NetBIOS port open,
    >> nothing else. Suspecting a proxy, I scanned the PIX logs for the last
    >> 24 hours and there was absolutely no traffic registered to/from the
    >> internet, and no active NAT xlate slot either.
    >
    >After finally getting an ethereal trace of traffic from the faulty
    >address (a machine using an Apple Airport) I found the following:
    >
    >The first packet is an SNMP query directed to the router, community name
    >'public', and attempts to read 3 MIBs:
    > SNMPv2-MIB::sysName.0
    > SNMPv2-MIB::sysLocation.0
    > SNMPv2-MIB::sysDescr.0

    I'm glad to hear that somebody experienced something similar to my three week nightmare. During the past 3 weeks my Cox@home service was disconnected due to several SNMP attacks against one of their Cox Business router originating from my IP address. After stopping SNMP in all my machines, scanning them for viruses and trojans, and increasing the security level of my firewall to the max, the problem still persisted. It did not ceased until I disconnected the Airport, but I am still in their blacklist and under 3 strike policy any other infraction could trigger the final cancellation of my high speed internet connection. Certainly, having that kid of BS going on is not a trivial issue.

    Jeff, in case you figure out what is exactly going on with the Airports, may you contact me at jcanaves@ucsd.edu

    Thanks!

    Jaume

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Strange services.exe file"