Re: SNMP attempts every 10 minutes



you need to go to the workstation and have a poke around, using tools
like fport from foundstone

http://www.foundstone.com/us/resources/proddesc/fport.htm

you should be able to isolate what is generating the traffic from the box.

cheers
Ivan

On Jan 15, 2008 11:08 AM, k7 fantr <k7.fantr@xxxxxxxxx> wrote:
- The switch logs indicate that IP x is failing to authenticate to it
(the switch).
- The IP x is a Windows 2000 workstation
- I do not know what is causing the attempt (trap or get) and I am not
sure how I could tell the difference via the logs:
"%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host
x.x.x.x (x.y.com)"
- I can not find any logs indicating anything regarding snmp on the workstation
- I can re-create the same error message if I do a snmp-walk from my workstation

Ultimately I am wondering if I am out of my mind to demand that due to
the suspicious behavior, and the inability to determine what it IS,
this workstation should be removed from the network and investigated
rather than left on the network until proved that it is something to
worry about.

and also if any knows of malicious code that behaves in this specific manner?

I hope this adds a little clarity.. thanks for the follow ups




On Jan 14, 2008 5:43 PM, Ivan . <ivanhec@xxxxxxxxx> wrote:
Is it a SNMP-trap or SNMP-get request? There is a difference and your
email isn't clear.

SNMP-trap is sent by a device to a SNMP server

SNMP-get is a read request from a SNMP poller to a device

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm

I assume you mean a device is polling (SNMP-get) your core switch, and
it does not have the correct auth string. You should be able to
isolate the IP of the poller and they track down the box. It could be
a linux box running some "snmp-walk" requests.

cheers
Ivan


On 11 Jan 2008 20:33:27 -0000, <k7.fantr@xxxxxxxxx> wrote:
There is a machine on our network that is trying and failing to authenticate with the snmp trap on our core switch every 10 minutes. I can not seem to isolate what is making the requests. Based on scans that I have run, there is no know malware (nothing detected anyway). No services running appear to stop the requests after being turned turned off, and after installing a host based firewall and reviewing the logs, as well as running wireshark and reviewing a 2 hour capture, I can not seem to pin point anything making requests to that switch at all. It is the only machine on the network of about 900 that is doing this.


I want the machine removed so that I can investigate further, but I am getting resistance from the IT Manager and support (no time.. not necessary..). Has anybody seen this before? Am I wrong to want this removed?


Thanks in advance.






Relevant Pages

  • Re: Very frustrated with MS Server 2003 SBS
    ... you having these two domains on the same wire, that's why I was hoping you could make some separation to isolate the issue. ... Re-installing the workstation OS might work for this WS, but if the root cause is elsewhere, then it's not a good solution. ... And, yes, I'd start with a fresh workstation account, created on the SBS using the Add Computer Wizard. ...
    (microsoft.public.windows.server.sbs)
  • Re: Very frustrated with MS Server 2003 SBS
    ... I have isolated the server and a workstation. ... W32TIME service is running. ... >>> you could make some separation to isolate the issue. ...
    (microsoft.public.windows.server.sbs)
  • Re: Very frustrated with MS Server 2003 SBS
    ... I have isolated the server and a workstation. ... > could make some separation to isolate the issue. ... > the SBS and a workstation isolated. ...
    (microsoft.public.windows.server.sbs)
  • Re: Slow startup and using MSCONFIG
    ... Does regediting and other optimization methods address the "workstation" ... >> the desktop but the toolbar with start button and the desktop icons ... >> I used the msconfig services tab to isolate the problem. ...
    (microsoft.public.windowsxp.general)
  • Fw: SNMP attempts every 10 minutes
    ... (the switch). ... The IP x is a Windows 2000 workstation ... I can not find any logs indicating anything regarding snmp on the ... not seem to isolate what is making the requests. ...
    (Security-Basics)