Port scans to UDP 161 (SNMP)

From: Max Euston (meustonat_private)
Date: Thu May 21 1998 - 13:30:51 PDT

  • Next message: james b. croall: "Transparency for the TIS Firewall Toolkit v 2.1"

    	Has anyone seen this before?  I have been getting UDP (161/SNMP) port 
    scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from 
    certain IP #s.  The most recent events happened 6 times over the past 5 
    days (all from the same IP).  The user of that IP has a laptop w/ 
    Win-95(B?) running FrontPage-98 and IE-4.01; they also have 
    AOL-(something), Office-97, Outlook-98, Project-98.  Although they use DHCP 
    (in a Win-95/Win-NT shop), it seems that this machine has always gotten the 
    same IP#.  The user seems to have been using the machine during each scan. 
     The UDP source port seems to stay in the range 1030-1035 (for this and 
    previous scans from other locations).  I don't have a dump of the incomming 
    packets, just a log that they were dropped.
    Any info greatly appreciated.
    Max Euston <meustonat_private>

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:42 PDT