i have recently installed snort on my employers webserver and after i've told it not complain about connections to the tomcat on 8080 as "SCAN Proxy (8080) attempt" the next outstanding alarm message was a "SNMP public access udp". i looked into it and to my surprise found out, that these packages are originating on the server's external interface and going to two (nonexistent) privat ip addresses 10.0.1.80 and 10.1.0.80, about every other hour. i ngrepped the packages and they look like this:
U xxx.xxx.xxx.xxx:1041 -> 10.0.1.80:161
30 4c 02 01 00 04 06 70 75 62 6c 69 63 a0 3f 02 0L.....public.?.
02 0a 9d 02 01 00 02 01 00 30 33 30 0f 06 0b 2b .........030...+
06 01 02 01 19 03 02 01 05 01 05 00 30 0f 06 0b ............0...
2b 06 01 02 01 19 03 05 01 01 01 05 00 30 0f 06 +............0..
0b 2b 06 01 02 01 19 03 05 01 02 01 05 00 .+............
it doesn't look really dangerous, i just want to know ;) anyone happens to know what this is? any hint on how i can find out which process is sending these out? might it be the hardware (networkcard) itself?
thanks, ub
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
