RE: SNMP worm?

• Previous message: Daniel Hanson: "moderator note: AIM worm..."
• In reply to: Robert MacDonald: "RE: SNMP worm?"
• Next in thread: hein_at_blubber.com: "Re: RE: SNMP worm?"
• Maybe reply: hein_at_blubber.com: "Re: RE: SNMP worm?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <incidents@securityfocus.com>
Date: Thu, 27 Oct 2005 09:07:15 -0700

  Thanks to everyone who responded.

  Under further investigation, the sources turn out to be
two machines used by a single individual employee, and one
machine in an isolated lab not connected to the main network.
(The latter was initially over-reported by the lab supervisor.)
My initial fear that we were on the brink of an outbreak does
not appear to have been realized.

  The employee works in a department which operates various
power, water, HVAC, etc systems. We're checking into the
possibility that they have a new/demo program to monitor that
equipment. However, all such equipment lives on its own
private VLAN, and any traffic relating to it ought to be
pointed there.
  What we were seeing was traffic on our main user VLAN:
unicast traffic targeting specific network infrastructure
equipment (possibly part of a sweep of the whole address
range), and broadcast traffic to the whole VLAN. And
unfortunately we have a few legacy pieces of equipment
that found this difficult to handle; some recovered on
their own, some didn't(!).

  Checking specifically for other SNMP traffic has uncovered
a couple of interesting anomalies. Most of it is clearly
workstations monitoring the status of nearby printers --
although in one case it appears that a visitor is trying to
monitor a printer at their usual location, hundreds of miles
away. (Since we block SNMP at our borders, this isn't
actually working....)
  But a couple of machines seem to be regularly polling specific
target addresses (one per source) in unpopulated regions of our
address space. Harmless so far as I can tell, but definitely
odd.

  Again, thanks for the assist.

David Gillett

• Previous message: Daniel Hanson: "moderator note: AIM worm..."
• In reply to: Robert MacDonald: "RE: SNMP worm?"
• Next in thread: hein_at_blubber.com: "Re: RE: SNMP worm?"
• Maybe reply: hein_at_blubber.com: "Re: RE: SNMP worm?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: How difficult is it to clone a HD? ... The same argument tht is used to argue that police should not ... Their cost is trivial compared to other expenses, ... sufficient machines should therefore be available. ... as computer equipment at all. ... (uk.legal) Re: electricity from a gym: quick calcs ... costs $100, including installation labor costs. ... $100/piece of exercise equipment. ... Repetitive motion machines would yield a very low efficiency. ... (sci.electronics.design) Re: NAS advice? ... I've been crying for four years that we needed a decent backup system and I always got put off. ... So yesterday I am told that we have some equipment we got in another deal and I can have it to backup my NOC. ... I want to have Bacula clients on all my machines talking to a single machine running the Bacula director, hopefully using the NAS machines for storage. ... I run OpenBSD with CMU RAIDFrame RAID-1 mirrors and FreeBSD 5.3 with GEOM/GMirror RAID-1 on this platform for embeded devices. ... (freebsd-questions) Re: Abolish Anti-Discrimination Laws ... >> of the machines require a tool to change them. ... But in the gym I'm using now they have equipment set up ... Not all the machines are easy to adjust. ... (soc.men) Re: Abolish Anti-Discrimination Laws ... >>> Not at my gym. ... > of the machines require a tool to change them. ... But in the gym I'm using now they have equipment set up ... There are clubs where male owners can conduct business at the same ... (soc.men)