Date: Tue, 14 Jul 1998 07:51:55 -0700 From: "registration@clinmark.com" <register@clinmark.com> To: "Hallam Oaks P/L list account" <maillist@oaks.com.au> Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG> Subject: Re: Large-scale scan of SNMP ports Message-ID: <3.0.5.32.19980714075155.0079ee60@mail.credo.net> In-Reply-To: <199807140640.QAA24610@mail.aussie.org>
next in thread | previous in thread | raw e-mail | index | archive | help
No clue, but I've seen the same thing... Looks like an SNMP discovery routine, maybe? Steve McBride At 04:41 PM 7/14/98 +1000, Hallam Oaks P/L list account wrote: >Yesterday I detected what appears to be a large-scale scan of the 203.36 and >203.29 networks, coming from what appears to be a host connected to a local >Australian provider. The host did not respond to traceroute, even at the time >that the scan was taking place, so it's presumably behind a firewall. > >The host in question was sending UDP packets to the SNMP port (only) of every >IP address in both of the networks I have routed here, starting from higher >IP's and going to lower. > >The reason why I suggest that it is 'large scale' is that they first scanned >a subnet I have in the 203.36 network, and then some four hours later scanned >every IP in my other subnet (a class C in 203.29). As they were going down in >addresses within the subnets it's reasonable to assume that in that four-hour >period they scanned all the intervening IP's between 203.36 and 203.29. > >Can anyone suggest a legitimate reason for an unknown host to send UDP >packets to the SNMP ports of such an apparantly large range of systems ? > >regards, > >-- Chris > Hallam Oaks P/L > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19980714075155.0079ee60>