[Dshield] Re: Strange SNMP probes suddenly appearing

Jeff Kell jeff-kell at utc.edu
Wed Dec 3 02:23:05 GMT 2003


Originally, (I) Jeff Kell wrote:
> Starting yesterday afternoon, I had a local student lab machine that was 
> attempting to SNMP query our core router (it's default gateway), and due 
> to a misconfiguration on the access-layer switch, I couldn't shut the 
> port down, so I simply ACL'ed the address to Null.  It was sending 
> queries every 10-15 seconds (somewhat irregularly).  It was a Windows 
> machine (answered nbtscan) and nmap only revealed a NetBIOS port open, 
> nothing else.  Suspecting a proxy, I scanned the PIX logs for the last 
> 24 hours and there was absolutely no traffic registered to/from the 
> internet, and no active NAT xlate slot either.

After finally getting an ethereal trace of traffic from the faulty 
address (a machine using an Apple Airport) I found the following:

The first packet is an SNMP query directed to the router, community name 
'public', and attempts to read 3 MIBs:
   SNMPv2-MIB::sysName.0
   SNMPv2-MIB::sysLocation.0
   SNMPv2-MIB::sysDescr.0

Almost immediately afterward is a UDP packet from that machine to the 
router on port udp/192.  It contains 4 bytes of text, 0x08 0x01 0x03 0x10.

This is very near a duplicate of some wireless dialogue I have found 
(that were exploitable), for example:

"One thing I've noticed while using the built in firewall in Mac OS X 
...Airport does some strange things when you access the configuration 
panel ...

I see two sets of *UDP **port* scans from the Airport to my Powerbook 
... one
from *port **192* (which is allocated to Karlsbridge - the software that
actually is running in the Airport) and another set of scans from the *SNMP
**port*. If my firewall blocks the traffic, I get almost the same 
symptoms as
you ... everything works but you can't access the Airport to configure it.
I posted a question to Apple and never got an answer. Maybe I will try Ohio
State Univ (that's where the software came from originally).

So, "something" is amiss here.  I'm just not sure I understand it all. 
But we have the symptoms nailed down, we'll have to see about the cure.
Does this ring any bells with anyone that is AirPort knowledgeable?
Since these were "rogue installs" by the department, they look like they
would be great clay pigeons for skeet shooting, but perhaps they can be
more productive.

Jeff Kell




More information about the list mailing list