Re: portsentry: port 162 attack
Thomas Shemanske, 2002-Mar-11 16:46 -0500:
> I have a sid system and installed portsentry on it (and several other
> woody machines in the department).
>
> I left it in log-only mode, but immediately after starting it up, I
> discovered that a machine of a colleague of mine is
> banging away (every three minutes exactly) on port 162 (snmp-trap) on
> all the machines in our subnet, but on no machines outside the subnet.
>
> I also have a debian potato box in a different subnet doing the same
> thing to all the machines in its subnet.
>
> While my colleague has perhaps been a little slack in maintaining
> upgrades, the potato machine is always upgraded as soon as a security
> upgrade appears. So while it is possible both machines have been
> hacked, I am leaning against that opinion for the moment, largely
> because the activity seems restricted to the subnet.
>
> I have no idea how to track this down. I can see no process he is
> running which would indicate the activity, and certainly there is
> nothing in the logs. The password and shadow files have the same
> timestamp and haven't been changed (apparently) since October.
>
> On my machine netstat -a | grep snmp returns
> udp 0 0 *:snmp *:*
> udp 0 0 *:snmp-trap *:*
>
> On his machine, it returns nothing.
>
> Any ideas on whether this is a real concern and/or how to track it down
> would greatly be appreciated.
>
> Thanks
>
> Tom
It appears to me that your colleagues machine has an snmp agent
running and has your machine configured as a trap reciever. It's
also apparent that you have an snmp trap server running, since
the ports are listening. Have you looked at the snmp trap log to
see what the trap is?
Your colleagues machine won't have listening ports since it's the
agent/client. Check the processes running and look for the
agent. If the agent must run, check the config to tune it.
hope this helps,
jc
--
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User
Reply to: