From owner-freebsd-security  Tue Jul 14 06:34:31 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA02990
          for freebsd-security-outgoing; Tue, 14 Jul 1998 06:34:31 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gw.jmrodgers.com (gw.jmrodgers.com [205.247.224.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA02983
          for <freebsd-security@FreeBSD.ORG>; Tue, 14 Jul 1998 06:34:27 -0700 (PDT)
          (envelope-from meuston@jmrodgers.com)
Received: from max.jmrodgers.com (max.jmrodgers.com [205.247.224.209])
	by gw.jmrodgers.com (8.8.8/8.8.8) with SMTP id JAA12782;
	Tue, 14 Jul 1998 09:33:38 -0400 (EDT)
	(envelope-from meuston@jmrodgers.com)
Received: by localhost with Microsoft MAPI; Tue, 14 Jul 1998 09:33:37 -0400
Message-ID: <01BDAF0A.7A41AC60.meuston@jmrodgers.com>
From: Max Euston <meuston@jmrodgers.com>
To: "'Espen Torseth'" <Espen.Torseth@sds.no>,
        "freebsd-security@FreeBSD.ORG"
	 <freebsd-security@FreeBSD.ORG>
Subject: RE: Large-scale scan of SNMP ports
Date: Tue, 14 Jul 1998 09:33:35 -0400
Organization: J.M. Rodgers Co., Inc.
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tuesday, July 14, 1998 3:47 AM, Espen Torseth 
[SMTP:Espen.Torseth@sds.no] wrote:
> There is the possibility that someone has started "auto-discovery" in
> HP-OpenView,
> CA UniCenter, etc. and given the wrong net-adress/subnet-mask. This has
> happend
> before, and will happen again...
>
> Regards
> Espen Torseth
>
[snip]
> > Yesterday I detected what appears to be a large-scale scan of the 
203.36
> > and
> > 203.29 networks, coming from what appears to be a host connected to a
> > local
> > Australian provider. The host did not respond to traceroute, even at 
the
[snip]
I concur.  I regularly get these scans.  I am almost ready to stop 
following up on them (I have stopped about a half dozen of them) since 
there seems to be no end in sight.  Each time it has been HP JetAdmin 
software on Windows 95 machines that was configured incorrectly.  You can 
check out http://web.mit.edu/network/hpfix/ as a starting point (it helped 
me solve the problem).  Your best bet is to get the source's ISP to contact 
them (or tell you who they are) and have them (source) block it at their 
gateway.

Max
---
Max Euston <meuston@jmrodgers.com>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message