Lexa Software: Inet-Admins@info.east.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru
СТАТЬИ
ПЕРСОНАЛЬНОЕ
ПРОГРАММЫ
ПИШИТЕ
ПИСЬМА
АРХИВ :: Inet-Admins
Inet-Admins mailing list archive (inet-admins@info.east.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[inet-admins] Fw: [gee_two@xxxxxxxxx: new SNMP vuln?]

To: <inet-admins@info.east.ru>
Subject: [inet-admins] Fw: [gee_two@yahoo.com: new SNMP vuln?]
From: "Dmitri Kalintsev" <dek@hades.uz>
Date: Mon, 11 Feb 2002 10:23:59 +1100
А вот вам и чуть-чуть инфы по теме. :) Ещё раз повторю - АЦЛ присобаченный к
snmp-server не поможет, надо именно настоящий ACL. Про каталисты с CatOS
сказать не могу, потому как не знаю, как именно работает set ip permit.
Сплойта нет, посему попробовать не могу.

SY,
--
 CCNP, CCDP (R&S)                          Dmitri E. Kalintsev
 CDPlayer@irc               Network Architect @ connect.com.au
 dek @ connect.com.au    phone: +61 3 9674 3913 fax: 9251 3666
 http://-UNAVAIL-         UIN:7150410  mobile: +61 414 821 382

> > ----- Forwarded message from Gary Golomb <gee_two@yahoo.com> -----
> >
> > > Date: Thu, 7 Feb 2002 08:57:19 -0800 (PST)
> > > From: Gary Golomb <gee_two@yahoo.com>
> > > Subject: new SNMP vuln?
> > > To: incidents@lists.securityfocus.com, honeypots@securityfocus.com
> > >
> > >
> > > Hello all!
> > >
> > > This is the third time in the past 24 hours I have heard about this from
> > > *completely* different sources, but cannot find anything on it. Does
> anyone
> > > here have additional details? Have any of the up-and-running honeypots
> seen
> > > anything?
> > >
> > > Thank you in advance!
> > >
> > > -gary
> > >
> > >
> > > > I got a call from one of my customers last night who just
> > > > returned from a
> > > > North American Network Operators' Group (NANOG) security conference.
> > > > Apparently, a tool was written in a university in Finland
> > > > that exploits
> > > > SNMP vulnerabilities.  One of the many things it does is send
> > > > 1 packet to a
> > > > router that disables the router.
> > > >
> > > > The tool was removed from several web sites in order to give vendors a
> > > > chance to react--but you know how that goes.  Whether it is
> > > > in the wild now
> > > > or not, is not the pressing issue.  The issue is that it will be soon.
> > > >
> > > > It was explained that it was tested on a Cisco and Nortel
> > > > router and proven
> > > > effective.  They are already working on a fix.  I was
> > > > informed that they
> > > > tried to call some guy named "Henry Fiallo" to inform us as well.
> > > >
> > >
> > >
> > > Gary Golomb
> > > Research Engineer, Intrusion Detection
> > > Enterasys Networks
> > > 7160 Columbia Gateway Dr, #201
> > > Columbia, MD 21044
> > > Phone:  410-312-3194 x223
> > > FAX:    410-312-4840
> > > Email:  ggolomb@enterasys.com
> > > www:    http://www.enterasys.com/ids/
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Send FREE Valentine eCards with Yahoo! Greetings!
> > > http://greetings.yahoo.com
> > >
> >
>
> ---------------------------------------------------------------------------
> -
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> >
> > ----- End forwarded message -----
> > ----- Forwarded message from Mike Lewinski <mike@rockynet.com> -----
> >
> > > Date: Thu, 7 Feb 2002 12:41:39 -0700
> > > From: "Mike Lewinski" <mike@rockynet.com>
> > > Subject: Re: new SNMP vuln?
> > > To: <incidents@lists.securityfocus.com>
> > > X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> > >
> > > We have seen increases in SNMP probes to our routers in the last few
> months.
> > > The following logs are from separate devices that had previously not
been
> > > picking up anything external. None of the offenders are on our net. In
> some
> > > cases there are repeat offenders hitting different networks. In others
it
> > > may just be a misconfigured OpenView somewhere.
> > >
> > > #1
> > > Jan  9  7:07:02     Manager session timed out
> > > Jan 19  1:35:10     SNMP: Authorization Violation by 62.243.158.158
> > > Jan 20  1:17:43     SNMP: Authorization Violation by 62.243.158.158
> > > Jan 21  1:17:26     SNMP: Authorization Violation by 62.243.158.158
> > > Jan 23 22:35:39     SNMP: Authorization Violation by 213.84.35.225
> > > Jan 23 22:53:51     SNMP: Authorization Violation by 63.225.202.68
> > > Jan 24  1:19:07     SNMP: Authorization Violation by 62.243.158.158
> > > Jan 29  1:18:15     SNMP: Authorization Violation by 62.243.158.158
> > > Jan 30  3:03:56     SNMP: Authorization Violation by 203.167.218.222
> > > Feb  1  1:18:24     SNMP: Authorization Violation by 62.243.158.158
> > > Feb  4  1:19:50     SNMP: Authorization Violation by 62.243.158.158
> > > Feb  5  1:14:54     SNMP: Authorization Violation by 62.243.158.158
> > > Feb  7  1:17:28     SNMP: Authorization Violation by 62.243.158.158
> > > Feb  7  4:19:38     SNMP: Authorization Violation by 158.252.197.37
> > > Feb  8  1:18:26     SNMP: Authorization Violation by 62.243.158.158
> > >
> > >
> > > #2
> > >
> > > Nov 18  3:49:28     SNMP: Authorization Violation by 63.217.77.226
> > > Nov 18  3:50:23     SNMP: Authorization Violation by 63.217.77.226
> > > Nov 18  3:52:06     SNMP: Authorization Violation by 63.217.77.226
> > > Nov 29 14:35:12     SNMP: Authorization Violation by 63.217.77.226
> > > Dec 17 15:14:38     SNMP: Authorization Violation by 63.217.77.226
> > >
> > > #3
> > >
> > > Jan 23  9:26:26     SNMP: Authorization Violation by 209.219.44.2
> > > Jan 23  9:49:26     SNMP: Authorization Violation by 209.219.44.2
> > > Jan 24 15:01:36     SNMP: Authorization Violation by 209.219.44.2
> > >
> > > #4
> > >
> > > Dec 17  4:00:29     SNMP: Authorization Violation by 80.13.199.108
> > > Dec 17  4:00:39     SNMP: Authorization Violation by 80.13.199.108
> > > Dec 17  4:01:05     SNMP: Authorization Violation by 80.13.199.108
> > > Dec 17  4:01:06     SNMP: Authorization Violation by 80.13.199.108
> > > Dec 17  4:01:08     SNMP: Authorization Violation by 80.13.199.108
> > > Dec 18 22:16:01     SNMP: Authorization Violation by 63.217.77.226
> > > Dec 18 23:12:29     SNMP: Authorization Violation by 216.113.12.153
> > >
> > >
> > >
> >
>
> ---------------------------------------------------------------------------
> -
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> >
> > ----- End forwarded message -----
> > ----- Forwarded message from James <jamesh@cybermesa.com> -----
> >
> > > Date: Thu, 7 Feb 2002 14:01:17 -0700
> > > From: "James" <jamesh@cybermesa.com>
> > > Subject: Re: new SNMP vuln?
> > > To: "Mike Lewinski" <mike@rockynet.com>
> > > Cc: <incidents@lists.securityfocus.com>
> > > X-Mailer: Microsoft Outlook Express 5.50.4807.1700
> > >
> > > I have seen these here; looking at the whole packet it is clear (at
least
> in
> > > my case) that they were looking for SNMP with
> > > write/change permissions and an obvious community name. Like "public" or
> > > "private" We blocked SNMP on the border routers to stop this.
> > >
> > >
> > > James Edwards
> > > jamesh@cybermesa.com
> > > At the Santa Fe Office: Internet at Cyber Mesa
> > > Store hours: 9-6 Monday through Friday
> > > Phone support 365 days till 10 pm via the Santa Fe office:
> > > 505-988-9200 or Toll Free: 888-988-2700
> > >
> > >
> > >
> >
>
> ---------------------------------------------------------------------------
> -
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> >
> > ----- End forwarded message -----
> > ----- Forwarded message from H C <keydet89@yahoo.com> -----
> >
> > > Date: Thu, 7 Feb 2002 13:06:28 -0800 (PST)
> > > From: H C <keydet89@yahoo.com>
> > > Subject: Re: new SNMP vuln?
> > > To: Gary Golomb <gee_two@yahoo.com>, incidents@lists.securityfocus.com
> > >
> > > Gary,
> > >
> > > Not too much technical detail, but I would think that
> > > this relates back to failing to change the default
> > > community strings.  If this is in fact the case, it
> > > really isn't anything new.
> > >
> > >
> > >
> > > --- Gary Golomb <gee_two@yahoo.com> wrote:
> > > >
> > > > Hello all!
> > > >
> > > > This is the third time in the past 24 hours I have
> > > > heard about this from
> > > > *completely* different sources, but cannot find
> > > > anything on it. Does anyone
> > > > here have additional details? Have any of the
> > > > up-and-running honeypots seen
> > > > anything?
> > > >
> > > > Thank you in advance!
> > > >
> > > > -gary
> > > >
> > > >
> > > > > I got a call from one of my customers last night
> > > > who just
> > > > > returned from a
> > > > > North American Network Operators' Group (NANOG)
> > > > security conference.
> > > > > Apparently, a tool was written in a university in
> > > > Finland
> > > > > that exploits
> > > > > SNMP vulnerabilities.  One of the many things it
> > > > does is send
> > > > > 1 packet to a
> > > > > router that disables the router.
> > > > >
> > > > > The tool was removed from several web sites in
> > > > order to give vendors a
> > > > > chance to react--but you know how that goes.
> > > > Whether it is
> > > > > in the wild now
> > > > > or not, is not the pressing issue.  The issue is
> > > > that it will be soon.
> > > > >
> > > > > It was explained that it was tested on a Cisco and
> > > > Nortel
> > > > > router and proven
> > > > > effective.  They are already working on a fix.  I
> > > > was
> > > > > informed that they
> > > > > tried to call some guy named "Henry Fiallo" to
> > > > inform us as well.
> > > > >
> > > >
> > > >
> > > > Gary Golomb
> > > > Research Engineer, Intrusion Detection
> > > > Enterasys Networks
> > > > 7160 Columbia Gateway Dr, #201
> > > > Columbia, MD 21044
> > > > Phone:  410-312-3194 x223
> > > > FAX:    410-312-4840
> > > > Email:  ggolomb@enterasys.com
> > > > www:    http://www.enterasys.com/ids/
> > > >
> > > > __________________________________________________
> > > > Do You Yahoo!?
> > > > Send FREE Valentine eCards with Yahoo! Greetings!
> > > > http://greetings.yahoo.com
> > > >
> > > >
> >
>
> ---------------------------------------------------------------------------
> -
> > > > This list is provided by the SecurityFocus ARIS
> > > > analyzer service.
> > > > For more information on this free incident handling,
> > > > management
> > > > and tracking system please see:
> > > > http://aris.securityfocus.com
> > > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Send FREE Valentine eCards with Yahoo! Greetings!
> > > http://greetings.yahoo.com
> > >
> >
>
> ---------------------------------------------------------------------------
> -
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com



=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on http://info.east.ru/rus/inetadm.html
Follow-Ups:
- Re: [inet-admins] Fw: [gee_two@xxxxxxxxx: new SNMP vuln?]
  - From: Alexandre Snarskii
- Re: [inet-admins] Fw: [gee_two@xxxxxxxxx: new SNMP vuln?]
  - From: Andrey Zimin
Prev by Date: Re: [inet-admins] MAX 3000 setup help
Next by Date: Re: [inet-admins] Fw: [gee_two@xxxxxxxxx: new SNMP vuln?]
Previous by thread: [inet-admins] MAX 3000 setup help
Next by thread: Re: [inet-admins] Fw: [gee_two@xxxxxxxxx: new SNMP vuln?]
Index(es):
- Date
- Thread