HPE Community
Operating System - HP-UX
1833780 Members
2423 Online
110063 Solutions
New Discussion

Re: Mystery polling of non-existent network

 
Paul R. Dittrich
Esteemed Contributor

‎09-18-2001 05:06 PM

‎09-18-2001 05:06 PM

Mystery polling of non-existent network

I've "inherited" the responsibility for a used K460 running HP-UX 11.00 that will not be rebuilt. (Don't ask!)
Every night, just after midnight, this machine does udp scanning to port 161 on entire network 192.168.0.0 Only that port, only that network, and the scanning order looks like this:
192.168.9.1
192.168.92.1 (no .91)
192.168.93.1
.
.
.
192.168.99.1
192.168.9.2
192.168.92.2 (still no .91)
etc. for the entire netblock.
I'm pretty sure I've disabled everything related to SNMPd and triple-checked the network config but I haven't stopped the polling. (It shows in our firewall logs)
One person told me this system used to have Omniback installed and that was the problem, but I'm still stumped.

TIA for all answers, which WILL be assigned points.

Paul
0 Kudos
Reply
6 REPLIES 6
Paul R. Dittrich
Esteemed Contributor

‎09-18-2001 05:11 PM

‎09-18-2001 05:11 PM

Re: Mystery polling of non-existent network

I forgot to mention - that network 192.168.0.0 does not exist on our LAN or WAN and I can't find any signs that any of the NICs were ever used in that address space.

Paul
0 Kudos
Reply
Michael Tully
Honored Contributor

‎09-18-2001 05:47 PM

‎09-18-2001 05:47 PM

Re: Mystery polling of non-existent network

Hi Paul,

OmniBack by default uses port 5555, check your
/etc/services file to see what port is being
used for this. You don't say whether OmniBack
is still installed or not?
Is there a mysterious job that runs out of cron
or at ?

Something to look at, as it sounds fairly strange.....

Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Edward Alfert_2
Respected Contributor

‎09-18-2001 06:11 PM

‎09-18-2001 06:11 PM

Re: Mystery polling of non-existent network

Your message looked very interesting to me so i decided to search google.com (i was suspecting a security problem... some trojan)...but it seems there may be another explanation... See scenario #3 (it specifically mentions HP)
---------------
On 21 Oct 99, at 22:46, Chiaki Ishikawa wrote:

> Over the last few days, our DMZ hosts were scanned for UDP port
> 161 from multiple sites.. My guess is some kind of trojan or
> something.
>
> Does anyone know what this probe is?

It's SNMP. There are three basic scenarios:

1. Someone is hoping you've got SNMP configured in a way that will
allow them to take control of your network. This would not be good.

2. Someone is setting up SNMP on their network, and has told their
management host to "discover" what else is on the network.
Unfortunately, they've misconfigured it, and it thinks your subnet
block is part of its network community.

3. Some HP network printer drivers will send traffic like this out
to other sites on the Internet. No idea what they were thinking.
"Do what you love and you will never work a day in your life." - Confucius
0 Kudos
Reply
UliW
Advisor

‎09-20-2001 04:38 AM

‎09-20-2001 04:38 AM

Re: Mystery polling of non-existent network

If I remember rigth, hp (web)jetadmin has some
autodiscovery. Check if it is installed on your
machine.

Ulrich
0 Kudos
Reply
Paul R. Dittrich
Esteemed Contributor

‎09-20-2001 10:52 AM

‎09-20-2001 10:52 AM

Re: Mystery polling of non-existent network

Michael - Omniback is no longer installed but was still listed in etc/services at port 5555 which I have now commented out. There are no defined at jobs and only a single cron job that I'm certain is not the culprit.

Ulrich - webjetadmin is not installed but that's a good one I hadn't thought of before.

Edward - I followed your google search but am unable to get more details for further investigation. There is a single HP LJ5m installed on the system; I suppose I could try removing it to see if the polling stopped.

Any more ideas? Anyone?
0 Kudos
Reply
Lou Zirko_1
Frequent Advisor

‎09-20-2001 12:07 PM

‎09-20-2001 12:07 PM

Re: Mystery polling of non-existent network

A few other things to look at:

All cron files for users and at jobs.

External scheduling packages if utilized.

There is something waking that "job" up each night.

Another area to look is if any network management s/w had been installed on the box in the past and still has remnants around. e.g. HP's NNM, CA'a Unicenter TNG or Tivoli's TME10.

Hope this helps.

Lou Zirko


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.