Re: Re: My Firewall Sending Erroneous SNMP Messages
Some worthy comments received regarding the subject posting!
-----Original Message-----
From: David A. Ranch
Sent: Friday, October 07, 2005 12:39 AM
To: David Gowdy
Subject: Re: FW: My Firewall Sending Erroneous SNMP Messages
Hello David,
So a few questions:
1. when you were running tcpdump, were you running this on ppp0 or eth0?
It looks like you were running this on eth0 which is incorrect.
If you were running it on eth0, this traffic might be normal. Many DSL
ISPs use private addresses for the ethernet interface but put the public
IP on the ppp interface.
2. In the decode, the SNMP packet is from the source "70.108.83.244"
which is listed as pool-70.108.83.244.res.east.verizon.net". Is that
the IP address on your PPP0 interface?
3. Via Google, it shows up that SNMP OID for fingind out network-enabled
printer status. Does that sound familiar?
4. What interesting with this decode (did this come from TCPDUMP or
something like Ethereal?) is the vendors of the Ethernet MAC addresses.
Do these sound vendors sound familar?
Source: 3com_ff:0c:a8 (00:50:04:ff:0c:a8)
Destination: Cisco_6f:91:08 (00:50:73:6f:91:08)
5. This SNMP poll is VERY old and very basic:
- It's using SNMPv1 which is really old
- It's using a Community of public which is very insecure
1.3.6.1.2.1.25.3.2.1.5.1
6. I think this email sums it up. You have a rogue network printer.
http://bob.marlboro.edu/wiki04/Wiki.jsp?page=HaveIBeenHacked
--David
Reply to: