snmp packets

To: debian-security@lists.debian.org
Subject: snmp packets
From: ulrich berthold <uberthold@enaikoon.de>
Date: Thu, 31 Jul 2003 10:13:38 +0200
Message-id: <[🔎] 3F28CFB2.5000602@enaikoon.de>

hello!

i have recently installed snort on my employers webserver and after i'vetold it not complain about connections to the tomcat on 8080 as "SCANProxy (8080) attempt" the next outstanding alarm message was a "SNMPpublic access udp". i looked into it and to my surprise found out, thatthese packages are originating on the server's external interface andgoing to two (nonexistent) privat ip addresses 10.0.1.80 and 10.1.0.80,about every other hour. i ngrepped the packages and they look like this:

U xxx.xxx.xxx.xxx:1041 -> 10.0.1.80:161
 30 4c 02 01 00 04 06 70    75 62 6c 69 63 a0 3f 02    0L.....public.?.
 02 0a 9d 02 01 00 02 01    00 30 33 30 0f 06 0b 2b    .........030...+
 06 01 02 01 19 03 02 01    05 01 05 00 30 0f 06 0b    ............0...
 2b 06 01 02 01 19 03 05    01 01 01 05 00 30 0f 06    +............0..

0b 2b 06 01 02 01 19 03 05 01 02 01 05 00 .+............

it doesn't look really dangerous, i just want to know ;)
anyone happens to know what this is?
any hint on how i can find out which process is sending these out?
might it be the hardware (networkcard) itself?

thanks,
ub

Reply to:

Follow-Ups:
- Re: snmp packets
  - From: Olaf Dietsche <olaf+list.debian-security@olafdietsche.de>

Prev by Date: Re: XP box inside the firewall
Next by Date: RE: XP box inside the firewall
Previous by thread: Re: XP box inside the firewall
Next by thread: Re: snmp packets
Index(es):
- Date
- Thread