Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Port scans to UDP 161 (SNMP)

Re: Port scans to UDP 161 (SNMP)

Michael (mikewestphila.net)
Fri, 22 May 1998 10:37:59 -0400 (EDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Steve Bellovin: "Re: Port scans to UDP 161 (SNMP)"
Previous message: Jan.Bervarnil.si: "Re: Lotus Notes question"
Maybe in reply to: Ge' Weijers: "Lotus Notes question"
Next in thread: Steve Bellovin: "Re: Port scans to UDP 161 (SNMP)"

On Thu, 21 May 1998, Max Euston wrote:

[> Has anyone seen this before? I have been getting UDP (161/SNMP) port
[>scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from
[>certain IP #s. The most recent events happened 6 times over the past 5
[>days (all from the same IP). The user of that IP has a laptop w/
[>Win-95(B?) running FrontPage-98 and IE-4.01; they also have
[>AOL-(something), Office-97, Outlook-98, Project-98. Although they use DHCP
[>(in a Win-95/Win-NT shop), it seems that this machine has always gotten the
[>same IP#. The user seems to have been using the machine during each scan.
[> The UDP source port seems to stay in the range 1030-1035 (for this and
[>previous scans from other locations). I don't have a dump of the incomming
[>packets, just a log that they were dropped.

I've seen this before, last year, from a couple of different
sites. It seems that someone misconfigured some sort
of monitoring software (their ip block was a couple numbers
off from our address class). I vaguely rememeber talking to the
admin in one of the cases, his reply is below.

_M.

From jledbetteractware.com Wed Oct 8 21:22:19 1997
Received: from act_server.actware.com (act.actware.com [208.130.99.4])
        by lifted.rapiddata.com (8.8.5/8.8.5) with ESMTP id VAA25347;
        Wed, 8 Oct 1997 21:22:18 -0400 (EDT)
Received: by act.ACTWARE.com with Internet Mail Service (5.0.1458.49)
        id <41SV5SSF>; Wed, 8 Oct 1997 21:21:24 -0400
Message-ID: <31BBCF704DFBD011AD5B006097585B47386B4Aact.ACTWARE.com>
From: Jason Ledbetter <jledbetteractware.com>
To: "'Michael'" <mikelifted.rapiddata.com>, jledbetteractware.com,
        sburtonactware.com
Cc: "( Gurus )" <guruslifted.rapiddata.com>
Subject: RE: Forwarded mail....
Date: Wed, 8 Oct 1997 21:21:23 -0400
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1458.49)
Content-Type: text/plain
X-UID: 287
Status: RO
X-Status: A

Michael,

I aplogize for taking so long to reply to your email. In short,
we had some weird stuff going on here and I have firewalled outbound
SNMP. I do aplogize for any inconvienes it may have caused.

Jason Ledbetter
Network Technical Specialist
Applied Computer Technologies

+- Michael_Jastremski_mikewestphila.net_http://westphila.net/mike -+
| |
\____Digital_Photography_Experiment_http://images.westphila.net___/

Next message: Steve Bellovin: "Re: Port scans to UDP 161 (SNMP)"
Previous message: Jan.Bervarnil.si: "Re: Lotus Notes question"
Maybe in reply to: Ge' Weijers: "Lotus Notes question"
Next in thread: Steve Bellovin: "Re: Port scans to UDP 161 (SNMP)"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:54 CDT