Hi all,
Has anyone else been seeing mail1.walkerwireless.com attempting to break in
to their border routers? Picked this up on a routine log audit.
Although we actively block and log this sort of activity, others may not be
aware of it.
Of particular concern is the attempted use of the ILMI exploit, detailed at
http://www.kb.cert.org/vuls/id/976280 which has no legitimate reason to be
seen.
Attacking machine is running Checkpoint FW-1 mail server!
Cheers,
Gordon Smith CCNA
Network Operations Manager
MoreNet Ltd.
Fingerprint: 4093 91BC 0055 46B9 1B1A EDBA 45AD 2381 7B1D E4BE
Log extract (multiple occurrances of this):
04/23/2002 15:38.24 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:38.14 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "ILMI"
04/23/2002 15:38.14 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:38.02 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "DHdW7tr5nP"
04/23/2002 15:38.02 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:37.52 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "P8nD8l1n7"
04/23/2002 15:37.52 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:37.44 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "wd1h2dt2d"
04/23/2002 15:37.44 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:37.34 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "private"
04/23/2002 15:37.34 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:37.24 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "public"
04/23/2002 11:37.42 <WARN:SNMP> last message repeated 2 times
04/23/2002 11:37.32 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "ILMI"
04/23/2002 11:37.32 <WARN:SNMP> last message repeated 2 times
04/23/2002 11:37.18 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "DHdW7tr5nP"
04/23/2002 11:37.18 <WARN:SNMP> last message repeated 2 times
04/23/2002 11:37.10 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "P8nD8l1n7"
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
We have noticed this and have taken action to stop these SNMP polls from
reaching other ISPs. The polling of addresses blocks managed by other ISPs
was purely accidental and should not happen again.
Walker Wireless is more than willing to investigate incidents like this
directly. If anyone has concerns about unusual activity orginating from
anywhere in the Walker Wireless network please contact our Network
Operations Centre on 0800-WWCARE or myself directly.
Thank you,
Richard Watson
Network Infrastructure Engineer
WALKER WIRELESS LIMITED
Tel: +64 (9) 522 3674 Fax: +64 (9) 520 3447
Mob: +6427 286 6681
Email: rwatson(a)walkerwireless.com
0800 NO NETLAG
Get high speed wireless internet and private network connectivity with
Walker Wireless.
Visit www.walkerwireless.com for information.
The information in this electronic mail and its attachments is legally
privileged and confidential. If the reader of this electronic mail and
attachments is not the intended recipient, you are hereby notified that any
use, dissemination or reproduction of this electronic mail its contents and
attachments is prohibited.
This email is personal and may not reflect Walker Wireless', Walker
Corporation's subsidiaries or affiliated companies' position.
-----Original Message-----
From: Gordon Smith [mailto:gordons(a)morenet.net.nz]
Sent: Friday, 3 May 2002 4:09 p.m.
To: Nznog
Subject: FW: Walker Wireless attacking other ISPs?
Hi all,
Has anyone else been seeing mail1.walkerwireless.com attempting to break in
to their border routers? Picked this up on a routine log audit.
Although we actively block and log this sort of activity, others may not be
aware of it.
Of particular concern is the attempted use of the ILMI exploit, detailed at
http://www.kb.cert.org/vuls/id/976280 which has no legitimate reason to be
seen.
Attacking machine is running Checkpoint FW-1 mail server!
Cheers,
Gordon Smith CCNA
Network Operations Manager
MoreNet Ltd.
Fingerprint: 4093 91BC 0055 46B9 1B1A EDBA 45AD 2381 7B1D E4BE
Log extract (multiple occurrances of this):
04/23/2002 15:38.24 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:38.14 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "ILMI"
04/23/2002 15:38.14 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:38.02 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "DHdW7tr5nP"
04/23/2002 15:38.02 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:37.52 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "P8nD8l1n7"
04/23/2002 15:37.52 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:37.44 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "wd1h2dt2d"
04/23/2002 15:37.44 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:37.34 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "private"
04/23/2002 15:37.34 <WARN:SNMP> last message repeated 2 times
04/23/2002 15:37.24 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "public"
04/23/2002 11:37.42 <WARN:SNMP> last message repeated 2 times
04/23/2002 11:37.32 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "ILMI"
04/23/2002 11:37.32 <WARN:SNMP> last message repeated 2 times
04/23/2002 11:37.18 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "DHdW7tr5nP"
04/23/2002 11:37.18 <WARN:SNMP> last message repeated 2 times
04/23/2002 11:37.10 <WARN:SNMP> SNMP request received from 210.54.139.178
with unknown community "P8nD8l1n7"
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
-
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog
