Date: Tue, 14 Jul 1998 16:41:02 +1000 From: "Hallam Oaks P/L list account" <maillist@oaks.com.au> To: "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG> Subject: Large-scale scan of SNMP ports Message-ID: <199807140640.QAA24610@mail.aussie.org>
next in thread | raw e-mail | index | archive | help
Yesterday I detected what appears to be a large-scale scan of the 203.36 and 203.29 networks, coming from what appears to be a host connected to a local Australian provider. The host did not respond to traceroute, even at the time that the scan was taking place, so it's presumably behind a firewall. The host in question was sending UDP packets to the SNMP port (only) of every IP address in both of the networks I have routed here, starting from higher IP's and going to lower. The reason why I suggest that it is 'large scale' is that they first scanned a subnet I have in the 203.36 network, and then some four hours later scanned every IP in my other subnet (a class C in 203.29). As they were going down in addresses within the subnets it's reasonable to assume that in that four-hour period they scanned all the intervening IP's between 203.36 and 203.29. Can anyone suggest a legitimate reason for an unknown host to send UDP packets to the SNMP ports of such an apparantly large range of systems ? regards, -- Chris Hallam Oaks P/L To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807140640.QAA24610>