SNMP Scans 02/17/02

From: Peter Johnson (pjohnsonat_private)
Date: Sun Feb 17 2002 - 20:23:09 PST

Next message: Borja Marcos: "Re: Slow SNMP scan..."

Previous message: JW: "Fwd: [suse-security] Port 13139 - attack?"
Next in thread: Security Coordinator: "Re: SNMP Scans 02/17/02"
Reply: Security Coordinator: "Re: SNMP Scans 02/17/02"
Reply: Dan Terhesiu: "Re: SNMP Scans 02/17/02"
Reply: Dmitri Smirnov: "RE: SNMP Scans 02/17/02"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just saw this in my portscan log (via snort) and decided to share with
the community so we can figure out who is scanning with what tools and
for what purpose(investigative or malicious).

Seems like they scan my 5 IP block 3 times

Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.50:161 UDP
Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.52:161 UDP
Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.53:161 UDP
Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.54:161 UDP
Feb 17 20:21:06 67.113.159.146:1504 -> X.X.X.55:161 UDP
Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.51:161 UDP
Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.50:161 UDP
Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.55:161 UDP
Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.54:161 UDP
Feb 17 20:21:11 67.113.159.146:1504 -> X.X.X.52:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.53:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.54:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.55:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.50:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.51:161 UDP
Feb 17 20:21:16 67.113.159.146:1504 -> X.X.X.52:161 UDP
=======================================================
I have some generic snmp rules to catch all SNMP scans/probes.

Here is a sample packet that got

[**] SNMP/udp public access [**]
02/17-20:21:06.412571 0:A0:C5:E5:F6:93 -> 0:10:5A:F:34:B1 type:0x800
len:0x61
67.113.159.146:1504 -> X.X.X.50:161 UDP TTL:114 TOS:0x0 ID:55265
IpLen:20 DgmLen:83 Len: 63
30 35 02 01 00 04 06 70 75 62 6C 69 63 A1 28 02  05.....public.(.
04 3C 69 F1 B9 02 01 00 02 01 00 30 1A 30 0B 06  .<i........0.0..
07 2B 06 01 02 01 01 02 05 00 30 0B 06 07 2B 06  .+........0...+.
01 02 01 01 01 05 00                             .......

Every packet looks exactly the same.
Wonder if this is the SANS snmp scanning tool?
======================================================================
Name:    adsl-67-113-159-146.dsl.sntc01.pacbell.net
Address:  67.113.159.146

George S Granados (NETBLK-SBC-06711315914429)
     San Francisco, Ca 94104
     US

     Netname: SBC-06711315914429
     Netblock: 67.113.159.144 - 67.113.159.151

Coordinator:
        Pacific Bell Internet  (PIA2-ORG-ARIN)  ip-adminat_private
        888-212-5411

Seems like ol pacbell gives info on who they give IP blocks to! ;)

Do you think we should be reporting snmp scans to ISPs
or just a waste of time?
==================================================================

Peter
-- 
Peter E. Johnson
Securityflaw
http://www.securityflaw.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Borja Marcos: "Re: Slow SNMP scan..."
Previous message: JW: "Fwd: [suse-security] Port 13139 - attack?"
Next in thread: Security Coordinator: "Re: SNMP Scans 02/17/02"
Reply: Security Coordinator: "Re: SNMP Scans 02/17/02"
Reply: Dan Terhesiu: "Re: SNMP Scans 02/17/02"
Reply: Dmitri Smirnov: "RE: SNMP Scans 02/17/02"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 23:42:28 PST