Re: Slow SNMP scan...

[Borja Marcos <borjam () sarenet es>]

On Saturday 16 February 2002 03:55, you wrote:
> We had one that started on 10 February at 1524 PST and didn't end
> until 2055 PST on 13 February:
>
> First two:
>
> Feb 10 15:24:03   195.77.170.25(2079) -> 192.52.153.1(161)
> Feb 10 15:45:08   195.77.170.25(2079) -> 192.52.153.2(161)
>
> Last two:
>
> Feb 13 20:55:39   195.77.170.25(2079) -> 192.52.153.240(161)
> Feb 13 21:14:56   195.77.170.25(2079) -> 192.52.153.241(161)

        I am detecting them, too. I have contacted them by phone, and they say that 
their mail server has a Jetadmin program that detects printers automatically 
and about two weeks ago "it started to detect lots of printers all over the 
world".

        It might be a misconfigured program doing a "discover" to all 192. 
addresses, (our AS has 194 and 212 address space but have seen only probes to 
192) but I am not sure (I don't know the program they are using).

        Anyway, I have told them that their server may be compromised and perhaps it 
is being used to launch attacks (the 20 minute delay looks like a stealth 
scan). They are going to disable the "discover" feature and we will check if 
the scans cease.

        I will get back to the list with the result




        Borja Marcos.
        
-- 
__________________________________________________________________
Borja Marcos                      * borjam () sarenet es
Responsable de seguridad          * Tel: +34 944209470
SARENET S.A.                      * Fax: +34 944209465
Parque Tecnologico, 103           *
48170 - Zamudio (Bizkaia) SPAIN   *
__________________________________________________________________

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com