From owner-freebsd-security Mon Jul 13 23:41:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA27587 for freebsd-security-outgoing; Mon, 13 Jul 1998 23:41:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA27580 for ; Mon, 13 Jul 1998 23:40:56 -0700 (PDT) (envelope-from maillist@oaks.com.au) Received: from bigbox (frankenputer.aussie.org [203.29.75.73]) by mail.aussie.org (8.9.0/8.9.0) with SMTP id QAA24610 for ; Tue, 14 Jul 1998 16:40:17 +1000 (EST) Message-Id: <199807140640.QAA24610@mail.aussie.org> From: "Hallam Oaks P/L list account" To: "freebsd-security@FreeBSD.ORG" Date: Tue, 14 Jul 1998 16:41:02 +1000 Reply-To: "Hallam Oaks P/L list account" X-Mailer: PMMail 98 Standard (2.01.1600) For Windows NT (4.0.1381;3) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Large-scale scan of SNMP ports Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yesterday I detected what appears to be a large-scale scan of the 203.36 and 203.29 networks, coming from what appears to be a host connected to a local Australian provider. The host did not respond to traceroute, even at the time that the scan was taking place, so it's presumably behind a firewall. The host in question was sending UDP packets to the SNMP port (only) of every IP address in both of the networks I have routed here, starting from higher IP's and going to lower. The reason why I suggest that it is 'large scale' is that they first scanned a subnet I have in the 203.36 network, and then some four hours later scanned every IP in my other subnet (a class C in 203.29). As they were going down in addresses within the subnets it's reasonable to assume that in that four-hour period they scanned all the intervening IP's between 203.36 and 203.29. Can anyone suggest a legitimate reason for an unknown host to send UDP packets to the SNMP ports of such an apparantly large range of systems ? regards, -- Chris Hallam Oaks P/L To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message