From owner-freebsd-questions Mon Jan 27 7:54:46 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C8DE37B401 for ; Mon, 27 Jan 2003 07:54:45 -0800 (PST) Received: from mail.adelphia.net (pa-plum1b-166.pit.adelphia.net [24.53.161.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 913E743EB2 for ; Mon, 27 Jan 2003 07:54:44 -0800 (PST) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com ([172.16.0.95]) by mail.adelphia.net (8.12.3/8.12.3) with ESMTP id h0RFu8iE006768; Mon, 27 Jan 2003 10:56:08 -0500 (EST) (envelope-from wmoran@potentialtech.com) Message-ID: <3E35567D.9000704@potentialtech.com> Date: Mon, 27 Jan 2003 10:55:41 -0500 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kenzo Cc: freebsd-questions@FreeBSD.ORG Subject: Re: snmp probe? References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Kenzo wrote: > I posted this on freebsd forum but didn't get any responces, just alot > people viewing it. Maybe I'm missing something or this is such a stupid > question that no one want to reply. so I'll try it in here. > > "I just installed portsentry to play with, and after 10 min of setting it on > the network I get probe. > looking at the message log this is what I see. > > portsentry[236]: attackalert: Connect from host: 10.x.x.x/10.x.x.x to UDP > port: 161 > > That's the snmp port. the address that it's comming from is just a > workstation. Now why would a regular workstation probe me on the snmp port? > > What could it be? > Is it a program on the computer trying to look for a device on the network > like a jetdirect? > Or virus, trojan trying to spread?" Yes. I'm surprised nobody has answered yet. But the problem with the question, is it can't be answered. There are a lot of possibilities. You're just going to have to visit that workstation and find out what's going on with it. > I guess I just want to know why it's doing this, and how to prevent it. It > may not be a virus or trojan, but it uses bandwidt to broadcast and I just > dont like that. True. The first thing to do is visit the workstation and see what's running. Make sure it isn't some backdoor or trojan. You don't state what the workstation is (OS-wise). If you did, you might find somone on the list who would reply "Oh yea, OS xyz is known for trying to connect to port 161 on every machine on the network, it's perfectly harmless." or something similar. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message