[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

portsentry: port 162 attack

I have a sid system and installed portsentry on it (and several other woody machines in the department).

I left it in log-only mode, but immediately after starting it up, I discovered that a machine of a colleague of mine is banging away (every three minutes exactly) on port 162 (snmp-trap) on all the machines in our subnet, but on no machines outside the subnet.

I also have a debian potato box in a different subnet doing the same thing to all the machines in its subnet.

While my colleague has perhaps been a little slack in maintaining upgrades, the potato machine is always upgraded as soon as a security upgrade appears. So while it is possible both machines have been hacked, I am leaning against that opinion for the moment, largely because the activity seems restricted to the subnet.

I have no idea how to track this down. I can see no process he is running which would indicate the activity, and certainly there is nothing in the logs. The password and shadow files have the same timestamp and haven't been changed (apparently) since October.

On my machine netstat -a | grep snmp returns
udp        0      0 *:snmp                  *:*
udp        0      0 *:snmp-trap             *:*

On his machine, it returns nothing.

Any ideas on whether this is a real concern and/or how to track it down would greatly be appreciated.



Reply to: