Ok. Someone is spoofing IP's.....and what is so good about UDP port 161?

972576554 - 10/26/2000 12:09:14 Host: 10.15.118.2/10.15.118.2 Port: 161 UDP Blocked
972576560 - 10/26/2000 12:09:20 Host: 10.15.118.1/10.15.118.1 Port: 161 UDP Blocked
972576640 - 10/26/2000 12:10:40 Host: 10.16.110.24/10.16.110.24 Port: 161 UDP Blocked
972576720 - 10/26/2000 12:12:00 Host: 10.16.110.6/10.16.110.6 Port: 161 UDP Blocked

972577536 - 10/26/2000 12:25:36 Host: 10.11.205.3/10.11.205.3 Port: 161 UDP Blocked
972577894 - 10/26/2000 12:31:34 Host: 10.11.102.6/10.11.102.6 Port: 161 UDP Blocked
972578110 - 10/26/2000 12:35:10 Host: 10.15.118.4/10.15.118.4 Port: 161 UDP Blocked
972578190 - 10/26/2000 12:36:30 Host: 10.11.102.5/10.11.102.5 Port: 161 UDP Blocked
972578270 - 10/26/2000 12:37:50 Host: 10.11.102.4/10.11.102.4 Port: 161 UDP Blocked
972578788 - 10/26/2000 12:46:28 Host: 10.11.102.3/10.11.102.3 Port: 161 UDP Blocked
972578969 - 10/26/2000 12:49:29 Host: 10.15.118.17/10.15.118.17 Port: 161 UDP Blocked
972579049 - 10/26/2000 12:50:49 Host: 10.15.118.13/10.15.118.13 Port: 161 UDP Blocked
972579316 - 10/26/2000 12:55:16 Host: 10.15.118.18/10.15.118.18 Port: 161 UDP Blocked
972579472 - 10/26/2000 12:57:52 Host: 10.11.102.1/10.11.102.1 Port: 161 UDP Blocked
972579478 - 10/26/2000 12:57:58 Host: 10.11.102.2/10.11.102.2 Port: 161 UDP Blocked
972580565 - 10/26/2000 13:16:05 Host: 10.15.122.18/10.15.122.18 Port: 161 UDP Blocked
972581746 - 10/26/2000 13:35:46 Host: 10.15.117.1/10.15.117.1 Port: 161 UDP Blocked
972583311 - 10/26/2000 14:01:51 Host: 10.16.110.26/10.16.110.26 Port: 161 UDP Blocked

ALl the time...night / day scans.

------------------
---=== SYSTEM RULES ===--
1. Do not post crap
2. Obey rule #1
3. Only post stuff that rule #2 allows

[This message has been edited by SKoL (edited 27 October 2000).]

BTW : these are all bogus internal IP's.



------------------
---=== SYSTEM RULES ===--
1. Do not post crap
2. Obey rule #1
3. Only post stuff that rule #2 allows

I can help you only with the part "what's so good about 161". It's a DANDY if you can get in. It's the Simple Net Management Protocol, and man, cracking that would be dangerous. SNMP, I assume, is not running on your box, so no sweat, but identifying that person would be a "good thing".

------------------
newbie@raymondjones.net
HTTP://www.raymondjones.net

I don't think you're dealing with a regular script kiddie here. If you're getting scanned constantly (assuming it's the same person/group) then they want YOUR box. Normally script kiddies just want something they can 0wn. If they don't get in right away they move on.

You might want to take extra precautions until the attacks stop. Then make VERY sure they didn't get in. Maybe use a sniffer to watch for strange traffic.

Well, this is happening to ALL boxes on the network, ie this isn't the only machine. I'm not really worried because portsentry is blocking it.

I had something like that happening to my server at work when I tried DHCPD. Considering that my server is not the only server amongst thousands of computers on college campus. I was setting up DHCP for my department (with about 70 - 80 computers) and found out that my server was acting like it was trying to steal machines that was not in my department. Of course go figure that the other dhcp servers on campus are NT and my linux server was beating the NT in domain master... hehehe... So from all the logs and looking deeper into what was going on and finding what departments the other ip's where coming from. I decided that it was best to turn off DHCPD so not to get the main NT sys admins panties in a wad. Even after disabling DHCPD I still get a UDP 161 from 2 - 4 ip's from other departments which is way less than what I was getting before with DHCPD.

Hey Its my story and I'm sticking with it.

Sokertes