From owner-freebsd-security Tue Jul 14 00:42:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA02313 for freebsd-security-outgoing; Tue, 14 Jul 1998 00:42:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from exchange.sds.no (exchange.sds.no [139.105.128.207]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA02191 for ; Tue, 14 Jul 1998 00:40:32 -0700 (PDT) (envelope-from Espen.Torseth@sds.no) Received: by exchange.sds.no with Internet Mail Service (5.0.1460.8) id ; Tue, 14 Jul 1998 09:38:02 +0200 Message-ID: <81A91106E131D111BA8500608C23A6620CDFF8@nt1gj.da.posten.no> From: Espen Torseth To: freebsd-security@FreeBSD.ORG Subject: RE: Large-scale scan of SNMP ports Date: Tue, 14 Jul 1998 09:46:34 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1460.8) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There is the possibility that someone has started "auto-discovery" in HP-OpenView, CA UniCenter, etc. and given the wrong net-adress/subnet-mask. This has happend before, and will happen again... Regards Espen Torseth > -----Original Message----- > From: Hallam Oaks P/L list account [SMTP:maillist@oaks.com.au] > Sent: Tuesday, July 14, 1998 8:41 AM > To: freebsd-security@FreeBSD.ORG > Subject: Large-scale scan of SNMP ports > > Yesterday I detected what appears to be a large-scale scan of the 203.36 > and > 203.29 networks, coming from what appears to be a host connected to a > local > Australian provider. The host did not respond to traceroute, even at the > time > that the scan was taking place, so it's presumably behind a firewall. > > The host in question was sending UDP packets to the SNMP port (only) of > every > IP address in both of the networks I have routed here, starting from > higher > IP's and going to lower. > > The reason why I suggest that it is 'large scale' is that they first > scanned > a subnet I have in the 203.36 network, and then some four hours later > scanned > every IP in my other subnet (a class C in 203.29). As they were going down > in > addresses within the subnets it's reasonable to assume that in that > four-hour > period they scanned all the intervening IP's between 203.36 and 203.29. > > Can anyone suggest a legitimate reason for an unknown host to send UDP > packets to the SNMP ports of such an apparantly large range of systems ? > > regards, > > -- Chris > Hallam Oaks P/L > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message