Re: Port scans to UDP 161 (SNMP)

From: H. Morrow Long (morrow.longat_private)
Date: Fri May 22 1998 - 06:06:03 PDT

  • Next message: Jan.Bervarat_private: "Re: Lotus Notes question"

    I have seen this before as a result of HP JetDirect and Windows 95/NT
    HP printer driver s/w on PCs going into 'subnet search' mode looking
    for HP printers with JetDirect cards.
    If the user is running with HPJetAdmin or HP network printer driver software
    installed on the notebook PC you might want to try the fix on page:

    >Subject: Port scans to UDP 161 (SNMP)
    >Date: Thu, 21 May 1998 16:30:51 -0400
    >MIME-Version: 1.0
    >Content-Transfer-Encoding: 7bit
    >	Has anyone seen this before?  I have been getting UDP (161/SNMP) port 
    >scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from 
    >certain IP #s.  The most recent events happened 6 times over the past 5 
    >days (all from the same IP).  The user of that IP has a laptop w/ 
    >Win-95(B?) running FrontPage-98 and IE-4.01; they also have 
    >AOL-(something), Office-97, Outlook-98, Project-98.  Although they use DHCP 
    >(in a Win-95/Win-NT shop), it seems that this machine has always gotten the 
    >same IP#.  The user seems to have been using the machine during each scan. 
    > The UDP source port seems to stay in the range 1030-1035 (for this and 
    >previous scans from other locations).  I don't have a dump of the incomming 
    >packets, just a log that they were dropped.
    >Any info greatly appreciated.
    >Max Euston <meustonat_private>
    H. Morrow Long
    Information Security Office            (203)432-1248(VOICE)
    Yale University                        (203)432-0593(FAX)
    INET: mailto:information.securityat_private
    PAGE: (203)370-3081, (800)347-2574,    mailto:1165469at_private PIN# 1165469
    PGP 1024/54F9FD69 1997/08/25 fp 97 ED E7 9D 41 8A 90 8C  4D 7C 22 56 80 BA 84 09

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:49 PDT