On Sun, Dec 31, 2000 at 12:16:59PM -0700, JD Kitch wrote: > Dec 31 11:06:47 tower kernel: Packet log: output REJECT eth0 PROTO=17 > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7632 F=0x0000 T=127 (#43)
I don't know what tool generated this log entry. This is a situation where a good IDS such as snort would shed a lot of light. For example, grepping a set of snort rules for that port yields: misc-lib:alert udp any any -> $HOME_NET 161 (msg: "SNMP public access"; content:"public";) misc-lib:alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"BUGTRAQ ID 1009 - Possible attempt at Bay/Nortel Nautica Marlin DoS); dsize:0;) netbios-lib:alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"NETBIOS-SNMP-NT-UserList"; content:"|2b 06 10 40 14 d1 02 19|";) vision.conf:alert UDP $EXTERNAL any -> $INTERNAL 161 (msg: "IDS333/SNMP-NT-UserList"; content: "|2b 06 10 40 14 d1 02 19|";) Follow up by surfing to (see last line above) http://www.whitehats.com/IDS/333 and also that Bugtraq ID looks interesting. What I gather is that this could be a student at isi.edu, which is apparently part of the Univ. of California, trying his or her hand at configuring an NT box in some weird way. Who knows? I would send a very nice comment to someone there along with your data and see what comes of it. -- Bob Bernstein at Esmond, Rhode Island, USA
