OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Strange SNMP probes suddenly appearing

From: Tijl DULLERS (Tijl.DULLERSdhl.com)
Date: Tue Nov 25 2003 - 06:24:53 CST


Hi ,

I would not worry too much. It's been a while since I played with those
Airport Basestations but I still remember that they can be configured
solely using SNMP. So the configuration software uses snmp gets and sets
to read and update the config.

I can also imagine that the Airport client software ( drivers + maybe
some config tools ) are trying to do SNMP gets once in a while to
retrieve information from their basestations ?

Hope this helps.

Best Regards,

Tijl

Jeff Kell wrote:

> Starting yesterday afternoon, I had a local student lab machine that
> was attempting to SNMP query our core router (it's default gateway),
> and due to a misconfiguration on the access-layer switch, I couldn't
> shut the port down, so I simply ACL'ed the address to Null. It was
> sending queries every 10-15 seconds (somewhat irregularly). It was a
> Windows machine (answered nbtscan) and nmap only revealed a NetBIOS
> port open, nothing else. Suspecting a proxy, I scanned the PIX logs
> for the last 24 hours and there was absolutely no traffic registered
> to/from the internet, and no active NAT xlate slot either.
>
> This morning, another machine in a different building and subnet
> started roughly the same thing. I was able to isolate this one at the
> access layer and shut it down, but not before scanning it -- not
> Windows, but a Macintosh, with no even remotely interesting ports.
>
> I received a call from a professor in the building, and turns out he
> had setup (unbeknownst to us) some Apple Airport access points in the
> building, and we zapped the port the Airport was using. He also
> reported another Airport was down, and checking history it was
> shutdown for Nachi (so it was Windows) but he could not identify
> either the IP or Mac address of that incident.
>
> After requesting that he make his Airports a closed SSID with a
> non-trivial password, I brought both ports back up. Kaboom, it
> started again. And another machine (in yet ANOTHER building) joined
> in briefly, then disappeared, and a new machine with a different IP
> started in.
>
> I then turned the original problem address back on (removed ACL) and
> kaboom, it started again. So now there were five incidents. Three
> known to be coming from Airport clients, one strongly suspected of
> also being an Airport client, and the last we have no clue. We had 2
> Windows, 2 Macintosh, and 1 unknown.
>
> I then headed off to the known Airport problem, found the associated
> access point, hooked in a cheap hub inline and plugged in a Linux
> laptop with ethereal. But the only capture now was irrelevant (IGMP
> group advertisements) - the SNMP had stopped. A watched pot never boils.
>
> Is this ringing a bell with anyone? I'm stumped. It isn't coming
> from the internet (we do strict ingress/egress anti-spoofing on every
> subnet and at the border router). Doesn't seem like a virus since
> whatever it
> is has demonstrated itself to be cross-platform. The Airport is
> strongly suspected (we did find one of the offending machines, and it
> was a faculty Mac laptop not doing anything fishy when I got there).
>
> Jeff Kell
> Univ of Tennessee at Chattanooga
>
>
> ---------------------------------------------------------------------------
>
> ----------------------------------------------------------------------------
>
>