Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Port scans to UDP 161 (SNMP)

Re: Port scans to UDP 161 (SNMP)

M. Dodge Mumford (dmumfordnfr.net)
Fri, 22 May 1998 06:52:54 -0400 (EDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Jan.Bervarnil.si: "Re: Lotus Notes question"
Previous message: Ge' Weijers: "Lotus Notes question"
Next in thread: Michael: "Re: Port scans to UDP 161 (SNMP)"

Yes. The first time that happened to me, the source IP address was a
competitor, and I was UnAmused. It's since happened a handful more times,
and when I tend to contact the administrators of those networks, they tend
to be helpful, and I haven't seen too many repeats.

The competitor initially blamed it on a sales person who had misconfigured
HP Openview on their laptop, and had attempted to scan the entire
208.0.0.0 network.

The second time, it was blamed on a buggy Windows driver for a PCMCIA
NIC card (3Com I think). Source ports tended to be low, in the 1027-1035
range you describe.

Then I saw it a couple more times from totally different locations.

I've also seen it come from 10.0.2.71, port 1047. I figure there's not a
lot I can do about that one. I tried a traceroute, but that got me
nowhere. :)

On Thu, 21 May 1998, Max Euston wrote:

> Hello,
> Has anyone seen this before? I have been getting UDP (161/SNMP) port
> scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from
> certain IP #s. The most recent events happened 6 times over the past 5
> days (all from the same IP). The user of that IP has a laptop w/
> Win-95(B?) running FrontPage-98 and IE-4.01; they also have
> AOL-(something), Office-97, Outlook-98, Project-98. Although they use DHCP
> (in a Win-95/Win-NT shop), it seems that this machine has always gotten the
> same IP#. The user seems to have been using the machine during each scan.
> The UDP source port seems to stay in the range 1030-1035 (for this and
> previous scans from other locations). I don't have a dump of the incomming
> packets, just a log that they were dropped.
>
> Any info greatly appreciated.
>
> Thanks,
>
> Max
> ---
> Max Euston <meustonjmrodgers.com>
>
>

-----
Dodge dodgenfr.net PGP key available upon request

Next message: Jan.Bervarnil.si: "Re: Lotus Notes question"
Previous message: Ge' Weijers: "Lotus Notes question"
Next in thread: Michael: "Re: Port scans to UDP 161 (SNMP)"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:54 CDT