Re: Port scans to UDP 161 (SNMP)

From: Michael (mikeat_private)
Date: Fri May 22 1998 - 07:37:59 PDT

Next message: M. Dodge Mumford: "Re: Port scans to UDP 161 (SNMP)"

Previous message: Steve Bellovin: "Re: Port scans to UDP 161 (SNMP)"
Maybe in reply to: Max Euston: "Port scans to UDP 161 (SNMP)"
Next in thread: M. Dodge Mumford: "Re: Port scans to UDP 161 (SNMP)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 21 May 1998, Max Euston wrote:

[>	Has anyone seen this before?  I have been getting UDP (161/SNMP) port 
[>scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from 
[>certain IP #s.  The most recent events happened 6 times over the past 5 
[>days (all from the same IP).  The user of that IP has a laptop w/ 
[>Win-95(B?) running FrontPage-98 and IE-4.01; they also have 
[>AOL-(something), Office-97, Outlook-98, Project-98.  Although they use DHCP 
[>(in a Win-95/Win-NT shop), it seems that this machine has always gotten the 
[>same IP#.  The user seems to have been using the machine during each scan. 
[> The UDP source port seems to stay in the range 1030-1035 (for this and 
[>previous scans from other locations).  I don't have a dump of the incomming 
[>packets, just a log that they were dropped.

I've seen this before, last year, from a couple of different
sites.  It seems that someone misconfigured some sort
of monitoring software (their ip block was a couple numbers
off from our address class).  I vaguely rememeber talking to the
admin in one of the cases, his reply is below.



_M.



 From jledbetterat_private  Wed Oct  8 21:22:19 1997
Received: from act_server.actware.com (act.actware.com [208.130.99.4])
	by lifted.rapiddata.com (8.8.5/8.8.5) with ESMTP id VAA25347;
	Wed, 8 Oct 1997 21:22:18 -0400 (EDT)
Received: by act.ACTWARE.com with Internet Mail Service (5.0.1458.49)
	id <41SV5SSF>; Wed, 8 Oct 1997 21:21:24 -0400
Message-ID: <31BBCF704DFBD011AD5B006097585B47386B4Aat_private>
From: Jason Ledbetter <jledbetterat_private>
To: "'Michael'" <mikeat_private>, jledbetterat_private,
        sburtonat_private
Cc: "( Gurus )" <gurusat_private>
Subject: RE: Forwarded mail....
Date: Wed, 8 Oct 1997 21:21:23 -0400
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
X-UID: 287
Status: RO
X-Status: A

Michael,

	I aplogize for taking so long to reply to your email. In short,
we had some weird stuff going on here and I have firewalled outbound
SNMP. I do aplogize for any inconvienes it may have caused.

Jason Ledbetter
Network Technical Specialist
Applied Computer Technologies




+- Michael_Jastremski_mikeat_private_http://westphila.net/mike -+
|                                                                   | 
 \____Digital_Photography_Experiment_http://images.westphila.net___/

Next message: M. Dodge Mumford: "Re: Port scans to UDP 161 (SNMP)"
Previous message: Steve Bellovin: "Re: Port scans to UDP 161 (SNMP)"
Maybe in reply to: Max Euston: "Port scans to UDP 161 (SNMP)"
Next in thread: M. Dodge Mumford: "Re: Port scans to UDP 161 (SNMP)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:45 PDT