Re: Trojan attacking our switches

From: Kris Saw (krisat_private)
Date: Fri Mar 21 2003 - 14:37:18 PST

Next message: Paul: "Chinese source: some web attack tool"

Previous message: Steve Zenone: "California State Bill SB1386"
In reply to: Charles Polisher: "Trojan attacking our switches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Check section 8 of your manual for SNMP configuration options, Check 
section 7-30 of your management and configuration guide for "IP 
Authorized Managers" this will allow you to lock down management access 
to the switch using host masks. Unfortunately, the only way to complete 
disable SNMP is to turn off all IP based management.

you can get the latest manual here:

ftp://ftp.hp.com/pub/networking/software/59692354.pdf

Its also a good idea to update the firmware fix this:

http://www.cert.org/advisories/CA-2002-03.html

Latest firmware can be found here:

http://www.hp.com/rnd/software/switches.htm

/kris

Charles Polisher wrote:
> Search of CVE and securityfocus and googling
> did not turn up adequate information. Anyone 
> seen this beast? 
> 
> Our campus network has a couple of thousand hosts, 
> and 93 switches. 
> 
> Telnetting into our HP Procurve 2524 switch 
> shows an ongoing attempt to brute-force the 
> SNMP community (public, of course). HP apparently
> does not provide a method for disbling SNMP, and
> we're going to have to visit all 93 switches
> in person to set a strong password -- yes, it had
> been left blank!
> 
> PCdoorguard 3 virus scanner identified a
> virus, "f*ck door server", but provides little
> useful information other than pointing to 
> \windows\system\setdefed.exe which is 24,576 bytes.
> 
> Thanks,
> Charles Polisher
> 
> ----------------------------------------------------------------------------
> 
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
> 
> 
> 

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Paul: "Chinese source: some web attack tool"
Previous message: Steve Zenone: "California State Bill SB1386"
In reply to: Charles Polisher: "Trojan attacking our switches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Mar 22 2003 - 12:17:59 PST