hello!
i have recently installed snort on my employers webserver and after i've
told it not complain about connections to the tomcat on 8080 as "SCAN
Proxy (8080) attempt" the next outstanding alarm message was a "SNMP
public access udp". i looked into it and to my surprise found out, that
these packages are originating on the server's external interface and
going to two (nonexistent) privat ip addresses 10.0.1.80 and 10.1.0.80,
about every other hour. i ngrepped the packages and they look like this:
U xxx.xxx.xxx.xxx:1041 -> 10.0.1.80:161
30 4c 02 01 00 04 06 70 75 62 6c 69 63 a0 3f 02 0L.....public.?.
02 0a 9d 02 01 00 02 01 00 30 33 30 0f 06 0b 2b .........030...+
06 01 02 01 19 03 02 01 05 01 05 00 30 0f 06 0b ............0...
2b 06 01 02 01 19 03 05 01 01 01 05 00 30 0f 06 +............0..
0b 2b 06 01 02 01 19 03 05 01 02 01 05 00 .+............
it doesn't look really dangerous, i just want to know ;)
anyone happens to know what this is?
any hint on how i can find out which process is sending these out?
might it be the hardware (networkcard) itself?
thanks,
ub
