RE: SNMP worm?

From: David Gutierrez (davegu1_at_hotmail.com)
Date: 10/27/05

  • Next message: Frank Knobbe: "RE: SNMP worm?" 
    To: gillettdavid@fhda.edu, incidents@securityfocus.com
Date: Wed, 26 Oct 2005 17:29:08 -0500

    David,
    We have also started to noticed lot of activity in our unix servers. So far
    no comment from the vendors.

    David

    From: "David Gillett" <gillettdavid@fhda.edu>
    Reply-To: <gillettdavid@fhda.edu>
    To: <incidents@securityfocus.com>
    Subject: SNMP worm?
    Date: Wed, 26 Oct 2005 13:56:38 -0700
    MIME-Version: 1.0
    Received: from outgoing.securityfocus.com ([205.206.231.26]) by
    MC8-F19.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 26 Oct 2005
    15:24:39 -0700
    Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
         via smtpd (for mail2.hotmail.com [65.54.253.230]) with ESMTP; Wed, 26
    Oct 2005 15:24:39 -0700
    Received: from lists.securityfocus.com (lists.securityfocus.com
    [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
    67E9B146A2D; Wed, 26 Oct 2005 15:35:14 -0600 (MDT)
    Received: (qmail 29402 invoked from network); 26 Oct 2005 08:56:49 -0000
    X-Message-Info: JGTYoYF78jG+SHvrJWOjDbGoieiG70K9zjAQu/PfWvk=
    Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
    Precedence: bulk
    List-Id: <incidents.list-id.securityfocus.com>
    List-Post: <mailto:incidents@securityfocus.com>
    List-Help: <mailto:incidents-help@securityfocus.com>
    List-Unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
    List-Subscribe: <mailto:incidents-subscribe@securityfocus.com>
    Delivered-To: mailing list incidents@securityfocus.com
    Delivered-To: moderator for incidents@securityfocus.com
    Organization: Foothill-DeAnza College District
    X-Mailer: Microsoft Office Outlook, Build 11.0.5510
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    Thread-Index: AcXaSWOx1g+Cm/FSRFigFItqB276CQAJgGpQ
    Return-Path: incidents-return-8635-davegu1=hotmail.com@securityfocus.com
    X-OriginalArrivalTime: 26 Oct 2005 22:24:39.0714 (UTC)
    FILETIME=[0E176020:01C5DA7C]

       We're suddenly seeing a lot of unauthorized SNMP traffic, including
    some to broadcast destinations, from stations on our network that have
    no business doing that. Anyone know of a new virus/worm with that
    behaviour? (Details are still sketchy here -- I'm hoping someone else
    has seen this and can provide clues of additional symptoms to look for.)

    David Gillett

  • Next message: Frank Knobbe: "RE: SNMP worm?"