Security Incidents: Re: SNMP vulnerability test?

[Eric Brandwine <ericb () UU NET>]

> > > > > "vk" == Valdis Kletnieks <Valdis.Kletnieks () vt edu> writes:
> > What're they printing from?  I'd check that first.  The number of
> > win98/nt/2k hosts listening on SNMP is terrifying.
vk> How did it get turned on?  Microsoft said in the CERT advisory:

vk>      Summary:
vk>      All  Microsoft  implementations  of  SNMP  v1  are  affected by the
vk>      vulnerability.  The  SNMP v1 service is not installed or running by
vk>      default on any version of Windows. A patch is underway to eliminate
vk>      the  vulnerability.  In  the  meantime,  we recommend that affected
vk>      customers disable the SNMP v1 service.

vk> Is this like the "W2K doesn't install IIS, but if you upgraded a
vk> machine that had Personal Webpage (or whatever it was) it will
vk> upgrade that to IIS"?

Win2k Server does install and listen on snmpv1, public by default (at
least our CDs of it do).  I have no idea how or why it was enabled,
but a little quick scanning turned up some scary results.

Similarly, we disable snmpdx on all our Sun hardware.  Several patches
from Sun re-enable this service.  They don't restart it, they just
replace the /etc/rc3.d/S76snmpdx init script.  So the next time the
system boots, you get a happy surprise.

ericb
-- 
Eric Brandwine     |  There are only two truly infinite things, the universe
UUNetwork Security |  and stupidity.  And I am unsure about the universe.
ericb () uu net       |
+1 703 886 6038    |      - Albert Einstein
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com