portsentry: port 162 attack

To: debian-user <debian-user@lists.debian.org>, Thomas Shemanske <thomas.r.shemanske@dartmouth.edu>
Subject: portsentry: port 162 attack
From: Thomas Shemanske <thomas.r.shemanske@dartmouth.edu>
Date: Mon, 11 Mar 2002 16:46:06 -0500
Message-id: <[🔎] 3C8D259E.9060608@dartmouth.edu>
Reply-to: thomas.r.shemanske@dartmouth.edu

I have a sid system and installed portsentry on it (and several otherwoody machines in the department).

I left it in log-only mode, but immediately after starting it up, Idiscovered that a machine of a colleague of mine isbanging away (every three minutes exactly) on port 162 (snmp-trap) onall the machines in our subnet, but on no machines outside the subnet.

I also have a debian potato box in a different subnet doing the samething to all the machines in its subnet.

While my colleague has perhaps been a little slack in maintainingupgrades, the potato machine is always upgraded as soon as a securityupgrade appears. So while it is possible both machines have beenhacked, I am leaning against that opinion for the moment, largelybecause the activity seems restricted to the subnet.

I have no idea how to track this down. I can see no process he isrunning which would indicate the activity, and certainly there isnothing in the logs. The password and shadow files have the sametimestamp and haven't been changed (apparently) since October.


On my machine netstat -a | grep snmp returns
udp        0      0 *:snmp                  *:*
udp        0      0 *:snmp-trap             *:*

On his machine, it returns nothing.

Any ideas on whether this is a real concern and/or how to track it downwould greatly be appreciated.


Thanks

Tom

Reply to:

Follow-Ups:
- Re: portsentry: port 162 attack
  - From: Jeff <jcoppock1@attbi.com>

Prev by Date: Re: CVS and SSH
Next by Date: Re: How to specify default WM (woody)?
Previous by thread: Re: SoundCards and Midi Input
Next by thread: Re: portsentry: port 162 attack
Index(es):
- Date
- Thread