Re: SNMP search for printers?

From: Chris Reining (creiningat_private)
Date: Tue Jun 17 2003 - 20:39:10 PDT

Next message: Rob Shein: "RE: chkrootkit and LKM?"

Previous message: Jim Butterworth: "RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)"
In reply to: Aaron Cheek: "SNMP search for printers?"
Next in thread: christian houle: "SNMP search for printers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aaron,
While I don't recall seeing this scan recently, it comes as no surprise.
Networked printers are rather ubiquitous and are usually passed off as
being secure because it's just a device that prints and nothing more.
However, this false sense of security is particularly bad as a lot of
printers these days have multiple services running some of which are
most likely exploitable. The SNMP scan that you saw would be typical of
an attacker looking for internet facing printers with default strings in
order to reconfigure the printer at their will. The possibility for
malicious activity if they garner remote access passwords then follows -
setting up a sniffer, using the printer as an attack point, mapping an
internal network, running a warez site (yes, they have ide/scsi drives).

Maybe someone should set up a printer honeypot ;)

HTH,
Chris

On Tue, Jun 17, 2003 at 05:49:19PM -0700, Aaron Cheek wrote:
> All,
> 
> One of my class Cs got SNMP scanned, and wanted to ask
> you what the purpose of this scan you think it might
> be:
> 
> 80.200.243.104.1152 > mynet.161:  GetRequest(25)
> .1.3.6.1.4.1.641[|snmp]
> 
> (Apparently an ADSL user at Belgium -
> 104.243-200-80.adsl-fix.skynet.be)
> 
> They tried different OIDs: .1.3.6.1.4.1.641 (Lexmark
> International), .1.3.6.1.4.1.11.2 (Hewlett Packard),
> .1.3.6.1.4.1.480 (QMS, Inc.), .1.3.6.1.2.1.43 (3Com).
> 
> All scans had src port 1152.
> 
> What I see in common here is printers. If so, what is
> the purpose of massively scanning for printers?
> 
> Other people seeing this? Any ideas? Any known tool?
> 
> Aaron
> 
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
> 
> ----------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 training sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to 
> "underground" security specialists.  See for yourself what the buzz is about!  
> Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
> ----------------------------------------------------------------------------
> 
>

application/pgp-signature attachment: stored

Next message: Rob Shein: "RE: chkrootkit and LKM?"
Previous message: Jim Butterworth: "RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)"
In reply to: Aaron Cheek: "SNMP search for printers?"
Next in thread: christian houle: "SNMP search for printers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 08:31:44 PDT