Re: SNMP search for printers?

From: exon (exonat_private)
Date: Wed Jun 18 2003 - 08:28:46 PDT

Next message: Michael H. Warfield: "Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)"

Previous message: Michael H. Warfield: "Re: sdbot variant and port 55808 activity"
In reply to: Aaron Cheek: "SNMP search for printers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Some printers allow remote telnet control (Xerox, mainly, running Solaris
8 I think), and all of those come with root password left blank.
An attacker can then install sniffers and whatnot on the printer, which
happily runs on with practically no slowdown.

Also, network connected fax machines can be used to send faxes from
remote locations, and guess who gets to pay the bill...

Check your printers/faxes manuals to see if they are susceptible.

/Andy


On Tue, 17 Jun 2003, Aaron Cheek wrote:

> All,
> 
> One of my class Cs got SNMP scanned, and wanted to ask
> you what the purpose of this scan you think it might
> be:
> 
> 80.200.243.104.1152 > mynet.161:  GetRequest(25)
> ..1.3.6.1.4.1.641[|snmp]
> 
> (Apparently an ADSL user at Belgium -
> 104.243-200-80.adsl-fix.skynet.be)
> 
> They tried different OIDs: .1.3.6.1.4.1.641 (Lexmark
> International), .1.3.6.1.4.1.11.2 (Hewlett Packard),
> ..1.3.6.1.4.1.480 (QMS, Inc.), .1.3.6.1.2.1.43 (3Com).
> 
> All scans had src port 1152.
> 
> What I see in common here is printers. If so, what is
> the purpose of massively scanning for printers?
> 
> Other people seeing this? Any ideas? Any known tool?
> 
> Aaron
> 
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
> 
> ----------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 training sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to 
> "underground" security specialists.  See for yourself what the buzz is about!  
> Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
> ----------------------------------------------------------------------------
> 
> 
> 


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Michael H. Warfield: "Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)"
Previous message: Michael H. Warfield: "Re: sdbot variant and port 55808 activity"
In reply to: Aaron Cheek: "SNMP search for printers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 14:19:37 PDT