RE: SNMP Traffic over spoolsv.exe ?
From: David Gillett (gillettdavid_at_fhda.edu)
Date: 09/11/03
- Previous message: Sebastian Schneider: "Re: Re(2): Possible new virus?"
- In reply to: Nick Duda: "SNMP Traffic over spoolsv.exe ?"
- Next in thread: Darren Augi: "RE: SNMP Traffic over spoolsv.exe ?"
- Reply: Darren Augi: "RE: SNMP Traffic over spoolsv.exe ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Nick Duda'" <nduda@VistaPrint.com>, <security-basics@securityfocus.com> Date: Thu, 11 Sep 2003 12:39:46 -0700
HP loves to use SNMP to talk to their networked printers,
presumably from within the printer driver code which spoolsv
would be likely to call.
David Gillett
> -----Original Message-----
> From: Nick Duda [mailto:nduda@VistaPrint.com]
> Sent: September 11, 2003 06:05
> To: security-basics@securityfocus.com
> Subject: SNMP Traffic over spoolsv.exe ?
>
>
> This seems odd.... Snort is reporting every 5 minutes one of
> our internal PC's generating SNMP traffic to a private IP
> that is not part of our network. The thing is , SNMP isn't
> running on the system and the source port is coming from
> spoolsv.exe (print spooler). Here is a verbose of tcpdump, any ideas?
>
> 08:56:02.499840 x.x.x.x.1159 > 192.168.0.150.snmp:
> GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp]
> 08:56:08.516713 x.x.x.x.1159 > 192.168.0.150.snmp:
> GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp]
> 08:56:14.517659 x.x.x.x.1159 > 192.168.0.150.snmp:
> GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp]
> 08:56:20.519120 x.x.x.x.1159 > 192.168.0.150.snmp:
> GetRequest(39) .1.3.6.1.2.1.25.3.2.1.5.1 .1.3.6.1.2.1.25.3[|snmp]
>
> Here is snort output
> SNMP public access udp alert
>
> 30 4B 02 01 00 04 06 70 75 62 6C 69 63 A0 3E 02 0K.....public.>.
> 01 07 02 01 00 02 01 00 30 33 30 0F 06 0B 2B 06 ........030...+.
> 01 02 01 19 03 02 01 05 01 05 00 30 0F 06 0B 2B ...........0...+
> 06 01 02 01 19 03 05 01 01 01 05 00 30 0F 06 0B ............0...
> 2B 06 01 02 01 19 03 05 01 02 01 05 00 +............
>
> 0K.....public.>.........030...+............0...+............0.
> ..+............
>
> - Nick
>
> --------------------------------------------------------------
> -------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Precisely Define and Implement Network Security
> - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW - FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> --------------------------------------------------------------
> --------------
>
---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Precisely Define and Implement Network Security
- Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW - FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
- Previous message: Sebastian Schneider: "Re: Re(2): Possible new virus?"
- In reply to: Nick Duda: "SNMP Traffic over spoolsv.exe ?"
- Next in thread: Darren Augi: "RE: SNMP Traffic over spoolsv.exe ?"
- Reply: Darren Augi: "RE: SNMP Traffic over spoolsv.exe ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
