December 17th, 2003, 03:11 PM
Does any one know of a worm or a hack that uses SNMP Broadcast on port 161 on a Windows NT 4 service pack 6a machine? I am picking up about 4 broadcast a minute on the snort logs coming from the NT 4 server. The broadcast is flooding the entire network and have been occuring for about a week and half now. The broadcast address is 255.255.255.255:161 and on the machine, and the SNMP packets originate from ports ranging from 1045-4976, and broadcast in sequential order, but not exactly 1045.1046,1047. It is more like 1045,1051,1066,1101,.. and so forth. Any help would be appreciated.
December 17th, 2003, 03:15 PM
Install tcpview and see what running services/apps are broadcasting.
December 17th, 2003, 03:56 PM
Did you install any HP JetAdmin software? This seems to continuesly broadcast SNMP messages in order to find 'new' printers. You can easily tweak these settings.
If that doesn't work capture the packets using a sniffer and look at the MIB it's trying. This may give you some more clues.
Experience is something you don't get until just after you need it.