Re: Port scans to UDP 161 (SNMP)

From: M. Dodge Mumford (dmumfordat_private)
Date: Fri May 22 1998 - 03:52:54 PDT

  • Next message: H. Morrow Long: "Re: Port scans to UDP 161 (SNMP)"

    Yes. The first time that happened to me, the source IP address was a
    competitor, and I was UnAmused. It's since happened a handful more times,
    and when I tend to contact the administrators of those networks, they tend
    to be helpful, and I haven't seen too many repeats.
    The competitor initially blamed it on a sales person who had misconfigured
    HP Openview on their laptop, and had attempted to scan the entire network.
    The second time, it was blamed on a buggy Windows driver for a PCMCIA
    NIC card (3Com I think). Source ports tended to be low, in the 1027-1035
    range you describe.
    Then I saw it a couple more times from totally different locations.
    I've also seen it come from, port 1047.  I figure there's not a
    lot I can do about that one. I tried a traceroute, but that got me
    nowhere. :)
    On Thu, 21 May 1998, Max Euston wrote:
    > Hello,
    > 	Has anyone seen this before?  I have been getting UDP (161/SNMP) port 
    > scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from 
    > certain IP #s.  The most recent events happened 6 times over the past 5 
    > days (all from the same IP).  The user of that IP has a laptop w/ 
    > Win-95(B?) running FrontPage-98 and IE-4.01; they also have 
    > AOL-(something), Office-97, Outlook-98, Project-98.  Although they use DHCP 
    > (in a Win-95/Win-NT shop), it seems that this machine has always gotten the 
    > same IP#.  The user seems to have been using the machine during each scan. 
    >  The UDP source port seems to stay in the range 1030-1035 (for this and 
    > previous scans from other locations).  I don't have a dump of the incomming 
    > packets, just a log that they were dropped.
    > Any info greatly appreciated.
    > Thanks,
    > Max
    > ---
    > Max Euston <meustonat_private>
    Dodge	dodgeat_private	PGP key available upon request

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:47 PDT