Hosting Provided By

RE: SNMP Weirdness

From: James C Slora Jr <Jim.Slora(at)phra.com>
Date: Thu Jan 23 2003 - 15:00:26 EST

Keith Pachulski wrote Monday, January 20, 2003 14:10

> Has anyone seen this behavior, if so care to share the details

This won't be much help, but here is what I have. I've seen one similar ASN.1 alert in the past few days. The probe hit just one host out of a Class C - it did not use a broadcast address like yours did. The probe was against a mail server.

01/18/03-18:18:19.542110 217.207.57.98:27194 -> justonehost:161 UDP TTL:108 TOS:0x0 ID:23131 IpLen:20 DgmLen:265 Len: 245
(Payload snipped - it was identical to yours)

Trigger for the alert - dgmlen 265 is greater than the packet length 245.

IP Address: 217.207.57.98
HostName: mail.city-cab.org.uk
descr: City Of London Citizens Advice Bureau

That host generated similar probes to more than a thousand other systems that day, so I suspect it was a compromised host being used to attack others.

Nothing followed this single probe, so I have no further details about it.

Do you need help?

> I orginally saw these from an internal firewall, after

Broadcast for print services would be an easy way for a worm to find vulnerable hosts, since so many unpatched print servers have SNMP vulnerabilities.

One explanation could be a print services discovery tool, but I think this is hostile and crafted traffic because the dgmlen 265 is greater than the packet length 245.

The PROTOS test suite makes use of this type of broadcast address to quickly sweep a network. Since the packets are UDP, it would not be hard to spoof multiple source addresses to mask the true attack source. http://www.cert.org/advisories/CA-2002-03.html http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise110

I guess the key here is the responses that are being sent back to the originating addresses, and the followup traffic.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

application/ms-tnef attachment: winmail.dat

Received on Sat Jan 25 10:13:10 2003

This message: [ Message body ]
Next message: Smith, Donald : "RE: SNMP Weirdness"
Previous message: Ryan Yagatich: "RE: Hacked web server"
In reply to: Keith Pachulski: "SNMP Weirdness"
In reply to Michael Roberts: "Re: SNMP Weirdness"
Next in thread: Christian Vogel: "Re: SNMP Weirdness"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT