From owner-freebsd-questions Mon Jan 27 8:15:23 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADC5137B405 for ; Mon, 27 Jan 2003 08:15:20 -0800 (PST) Received: from hotmail.com (dav13.sea1.hotmail.com [207.68.162.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 460A843E4A for ; Mon, 27 Jan 2003 08:15:20 -0800 (PST) (envelope-from kenzo_chin@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 27 Jan 2003 08:15:15 -0800 X-Originating-IP: [209.187.233.156] From: "Kenzo" To: References: <3E35567D.9000704@potentialtech.com> Subject: Re: snmp probe? Date: Mon, 27 Jan 2003 10:15:14 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: X-OriginalArrivalTime: 27 Jan 2003 16:15:15.0004 (UTC) FILETIME=[4691C7C0:01C2C61F] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG The OS is most likely win95 or win98. I'll have to go there a check. We do have some win2k comps, but I'm pretty sure that those workstations are not. Thanks, at least it gives me something. just a simple reply like that was what I was looking for. Thanks. ----- Original Message ----- From: "Bill Moran" To: "Kenzo" Cc: Sent: Monday, January 27, 2003 9:55 AM Subject: Re: snmp probe? > Kenzo wrote: > > I posted this on freebsd forum but didn't get any responces, just alot > > people viewing it. Maybe I'm missing something or this is such a stupid > > question that no one want to reply. so I'll try it in here. > > > > "I just installed portsentry to play with, and after 10 min of setting it on > > the network I get probe. > > looking at the message log this is what I see. > > > > portsentry[236]: attackalert: Connect from host: 10.x.x.x/10.x.x.x to UDP > > port: 161 > > > > That's the snmp port. the address that it's comming from is just a > > workstation. Now why would a regular workstation probe me on the snmp port? > > > > What could it be? > > Is it a program on the computer trying to look for a device on the network > > like a jetdirect? > > Or virus, trojan trying to spread?" > > Yes. > I'm surprised nobody has answered yet. But the problem with the question, is > it can't be answered. There are a lot of possibilities. You're just going to > have to visit that workstation and find out what's going on with it. > > > I guess I just want to know why it's doing this, and how to prevent it. It > > may not be a virus or trojan, but it uses bandwidt to broadcast and I just > > dont like that. > > True. The first thing to do is visit the workstation and see what's running. > Make sure it isn't some backdoor or trojan. You don't state what the workstation > is (OS-wise). If you did, you might find somone on the list who would reply > "Oh yea, OS xyz is known for trying to connect to port 161 on every machine on > the network, it's perfectly harmless." or something similar. > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message