portsentry: port 162 attack
I have a sid system and installed portsentry on it (and several other
woody machines in the department).
I left it in log-only mode, but immediately after starting it up, I
discovered that a machine of a colleague of mine is
banging away (every three minutes exactly) on port 162 (snmp-trap) on
all the machines in our subnet, but on no machines outside the subnet.
I also have a debian potato box in a different subnet doing the same
thing to all the machines in its subnet.
While my colleague has perhaps been a little slack in maintaining
upgrades, the potato machine is always upgraded as soon as a security
upgrade appears. So while it is possible both machines have been
hacked, I am leaning against that opinion for the moment, largely
because the activity seems restricted to the subnet.
I have no idea how to track this down. I can see no process he is
running which would indicate the activity, and certainly there is
nothing in the logs. The password and shadow files have the same
timestamp and haven't been changed (apparently) since October.
On my machine netstat -a | grep snmp returns
udp 0 0 *:snmp *:*
udp 0 0 *:snmp-trap *:*
On his machine, it returns nothing.
Any ideas on whether this is a real concern and/or how to track it down
would greatly be appreciated.
Thanks
Tom
Reply to: