RE: SNMP Weirdness

From: Thomas Ray (thomas.rayat_private)
Date: Fri Jan 24 2003 - 08:39:32 PST

Next message: Scott C. Kennedy: "Is anyone else seeing a real heavy incrase in TCP/1434?"

Previous message: Patrick Finch: "Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
Maybe in reply to: Keith Pachulski: "SNMP Weirdness"
Next in thread: Christian Vogel: "Re: SNMP Weirdness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Google is your friend

 
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22illegally.iana.net
%22

http://www.geocrawler.com/archives/3/169/2000/1/50/3209083/
http://archives.neohapsis.com/archives/freebsd/2000-01/0663.html

http://www.aplawrence.com/Bofcusm/38.html
http://www.isc.org/ml-archives/bind-users/1999/04/msg00432.html


I thought that iana.net seemed familiar



>-----Original Message-----
>From: Keith Pachulski [mailto:keithpat_private]
>Sent: Monday, January 20, 2003 1:10 PM
>To: iscat_private
>Cc: incidentsat_private
>Subject: SNMP Weirdness
>
>
>Has anyone seen this behavior, if so care to share the details
>
>I orginally saw these from an internal firewall, after setting 
>up a snort to grab the traffic I logged the following:
>
>[**] weirdness ensues [**]
>01/20-13:46:27.084888 X.X.X.26:1697 -> 192.0.0.192:161
>UDP TTL:128 TOS:0x0 ID:22091 IpLen:20 DgmLen:265
>Len: 245
>30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81  0.......public..
>DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06  ..........0..0..
>07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06  .+........0...+.
>01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01  .......0...+....
>01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01  ....0...+.......
>06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01  ...0...+........
>05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03  ..0...+.........
>05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01  ..0...+.........
>01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03  ....0...+.......
>09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B  ......0...+.....
>02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04  ........0...+...
>01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06  ..........0...+.
>01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B  ...........0...+
>06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B  ............0...
>2B 06 01 04 01 0B 02 04 03 0D 01 05 00           +............
>
>I have a few internal machines sending the same queries to the 
>same address.
>
>Name:    
>192.0.0.0-is-used-for-printservices-discovery----illegally.iana.net
>Address:  192.0.0.192
>
>|Keith A. Pachulski

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Scott C. Kennedy: "Is anyone else seeing a real heavy incrase in TCP/1434?"
Previous message: Patrick Finch: "Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
Maybe in reply to: Keith Pachulski: "SNMP Weirdness"
Next in thread: Christian Vogel: "Re: SNMP Weirdness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 07:22:49 PST