Incident: 03-12-02 udp:161

From CERT: http://www.cert.org/advisories/CA-2002-03.html

"Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks, or cause unstable behavior. If your site uses SNMP in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below."

Is this what's going on? A probe for the default community string "public"..? Continuing from CERT:

"III. Solution

"Change default community strings:

"Most SNMP-enabled products ship with default community strings of "public" for read-only access and "private" for read-write access. As with any known default access control mechanism, the CERT/CC recommends that network administrators change these community strings to something of their own choosing. However, even when community strings are changed from their defaults, they will still be passed in plaintext and are therefore subject to packet sniffing attacks. SNMPv3 offers additional capabilities to ensure authentication and privacy as described in RFC2574."


snort2html.plx:

Mar 12 23:59:38 - snort [1:0:0] UDP to 161 snmp 
  Source IP: 63.105.155.50   Source port: 12542 
Source host: masq.railamerica.com
  Target IP: 12.82.141.8   Target port: 161   Proto: UDP 
Target host: 8.seattle-15-20rs.wa.dial-access.att.net



snort packet dump:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/12-23:59:38.170060 63.105.155.50:12542 -> 12.82.141.8:161
UDP TTL:112 TOS:0x0 ID:53838 IpLen:20 DgmLen:265
Len: 245
30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81  0.......public..
DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06  ..........0..0..
07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06  .+........0...+.
01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01  .......0...+....
01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01  ....0...+.......
06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01  ...0...+........
05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03  ..0...+.........
05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01  ..0...+.........
01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03  ....0...+.......
09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B  ......0...+.....
02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04  ........0...+...
01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06  ..........0...+.
01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B  ...........0...+
06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B  ............0...
2B 06 01 04 01 0B 02 04 03 0D 01 05 00           +............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

===============================================================================

Snort processed 1 packets.
Breakdown by protocol:                Action Stats:

    TCP: 0          (0.000%)          ALERTS: 0         
    UDP: 1          (100.000%)         LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 63.105.155.50
connecting to whois.arin.net [63.146.182.182:43] ...
UUNET Technologies, Inc. (NETBLK-UUNET63) UUNET63 
  63.64.0.0 - 63.127.255.255

Railtex (NETBLK-UU-63-105-155)UU-63-105-155
  63.105.155.0 - 63.105.155.255


Request: NETBLK-UU-63-105-155@whois.arin.net
connecting to whois.arin.net [63.146.182.182:43] ...

Railtex (NETBLK-UU-63-105-155)
   4040 Broadway
   San Antonio, TX 78209
   US    

Netname: UU-63-105-155
   Netblock: 63.105.155.0 - 63.105.155.255    

Coordinator:
      Burgess, John  (JB1444-ARIN)  jburgess@railtex.com
      210-841-8258 

   Record last updated on 07-Jun-2000.
   Database last updated on  15-Mar-2002 19:57:41 EDT.


host:

[toot@sparky /storage/snort/old_snorts/031202]# host 63.105.155.50
50.155.105.63.in-addr.arpa. domain name pointer masq.railamerica.com.






jsage@finchhaven.com
Last modified: Sat Mar 16 15:29:00 2002