Re: Tracking down IP's
On Sun, Dec 31, 2000 at 12:16:59PM -0700, JD Kitch wrote:
> Dec 31 11:06:47 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7632 F=0x0000 T=127 (#43)
I don't know what tool generated this log entry. This is a situation where a
good IDS such as snort would shed a lot of light. For example, grepping a
set of snort rules for that port yields:
misc-lib:alert udp any any -> $HOME_NET 161 (msg: "SNMP public access"; content:"public";)
misc-lib:alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"BUGTRAQ ID 1009 - Possible attempt at Bay/Nortel Nautica Marlin DoS); dsize:0;)
netbios-lib:alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"NETBIOS-SNMP-NT-UserList"; content:"|2b 06 10 40 14 d1 02 19|";)
vision.conf:alert UDP $EXTERNAL any -> $INTERNAL 161 (msg: "IDS333/SNMP-NT-UserList"; content: "|2b 06 10 40 14 d1 02 19|";)
Follow up by surfing to (see last line above)
http://www.whitehats.com/IDS/333
and also that Bugtraq ID looks interesting.
What I gather is that this could be a student at isi.edu, which is
apparently part of the Univ. of California, trying his or her hand at
configuring an NT box in some weird way. Who knows?
I would send a very nice comment to someone there along with your data and
see what comes of it.
--
Bob Bernstein
at
Esmond, Rhode Island, USA
Reply to: