Strange snmpd traffic











up vote
0
down vote

favorite












my snmp server is using 3% of CPU and about 600 kbit/s of bandwidth.



Using "iftop" my server is sending data to an unknown IP, in HTTP port, but the destination IP does not ping and has no HTTP port open.



myhostname.com.br:snmp                          => 144.168.68.43:http                                   520Kb   487Kb   487Kb

                                                <=                                                     40.2Kb  37.6Kb  37.6Kb


All defaults (snmpd.conf), I just use it to local MRTG.



It's a CentOS 7 under OpenVZ. Any ideas?






centos7 snmp snmpd







share|improve this question
























  • Well, first of all never expose snmp publicly, get some firewall rules in place.
    – nos
    Nov 19 at 11:45












  • Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in). This is outgoing connection, from my server to this IP.
    – Arvy
    Nov 19 at 11:50

















up vote
0
down vote

favorite












my snmp server is using 3% of CPU and about 600 kbit/s of bandwidth.



Using "iftop" my server is sending data to an unknown IP, in HTTP port, but the destination IP does not ping and has no HTTP port open.



myhostname.com.br:snmp                          => 144.168.68.43:http                                   520Kb   487Kb   487Kb

                                                <=                                                     40.2Kb  37.6Kb  37.6Kb


All defaults (snmpd.conf), I just use it to local MRTG.



It's a CentOS 7 under OpenVZ. Any ideas?






centos7 snmp snmpd







share|improve this question
























  • Well, first of all never expose snmp publicly, get some firewall rules in place.
    – nos
    Nov 19 at 11:45












  • Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in). This is outgoing connection, from my server to this IP.
    – Arvy
    Nov 19 at 11:50















up vote
0
down vote

favorite









up vote
0
down vote

favorite











my snmp server is using 3% of CPU and about 600 kbit/s of bandwidth.



Using "iftop" my server is sending data to an unknown IP, in HTTP port, but the destination IP does not ping and has no HTTP port open.



myhostname.com.br:snmp                          => 144.168.68.43:http                                   520Kb   487Kb   487Kb

                                                <=                                                     40.2Kb  37.6Kb  37.6Kb


All defaults (snmpd.conf), I just use it to local MRTG.



It's a CentOS 7 under OpenVZ. Any ideas?






centos7 snmp snmpd







share|improve this question















my snmp server is using 3% of CPU and about 600 kbit/s of bandwidth.



Using "iftop" my server is sending data to an unknown IP, in HTTP port, but the destination IP does not ping and has no HTTP port open.



myhostname.com.br:snmp                          => 144.168.68.43:http                                   520Kb   487Kb   487Kb

                                                <=                                                     40.2Kb  37.6Kb  37.6Kb


All defaults (snmpd.conf), I just use it to local MRTG.



It's a CentOS 7 under OpenVZ. Any ideas?






centos7 snmp snmpd




centos7 snmp snmpd






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 19 at 11:52

























asked Nov 19 at 11:40









Arvy

4321921




4321921












  • Well, first of all never expose snmp publicly, get some firewall rules in place.
    – nos
    Nov 19 at 11:45












  • Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in). This is outgoing connection, from my server to this IP.
    – Arvy
    Nov 19 at 11:50




















  • Well, first of all never expose snmp publicly, get some firewall rules in place.
    – nos
    Nov 19 at 11:45












  • Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in). This is outgoing connection, from my server to this IP.
    – Arvy
    Nov 19 at 11:50


















Well, first of all never expose snmp publicly, get some firewall rules in place.
– nos
Nov 19 at 11:45






Well, first of all never expose snmp publicly, get some firewall rules in place.
– nos
Nov 19 at 11:45














Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in). This is outgoing connection, from my server to this IP.
– Arvy
Nov 19 at 11:50






Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in). This is outgoing connection, from my server to this IP.
– Arvy
Nov 19 at 11:50














2 Answers
2






active

oldest

votes

















up vote
1
down vote



accepted










Are these notifications/traps, or responses to Get requests?




Responses



Someone is polling your SNMP service, it's as simple as that.



If you don't want them to do that, firewall them (or it) off.



It's common for public services to be polled by random strangers, sometimes as a result of an automated probe but sometimes for explicitly malicious purposes. That's why we have firewalls.



Neither ICMP ping nor HTTP has anything to do with it; SNMP responses go to the same address (IP & port) that the requests came from — the choice of port is effectively arbitrary, but it would seem that the originator has specifically decided to use port 80 because this is commonly an open port, and does not draw much attention. This in itself is frankly suspicious because, unless there are strange technical constraints, an authentic and authorised SNMP manager would be using a port more conventionally allocated to SNMP traffic (like UDP 162).




Traps (notifications)



If there is no evidence of incoming requests triggering this traffic, then your SNMP Agent is doing this on its own. Did you configure it to do so? If not, you may have been hacked and somebody else has configured it this way instead.



You can still firewall it off (the firewall goes both ways!) though you really should be checking into what happened.




Otherwise



If there are no requests incoming, and your SNMP manager is not configured to send notifications to 144.168.68.43, then do you have another SNMP manager you're not aware of? Some piece of software you installed that has SNMP support? Otherwise you're really in trouble.






share|improve this answer























  • No, firewall is closed. The traffic is from my server (outgoing).
    – Arvy
    Nov 19 at 12:42










  • @Arvy If it were closed, the requests would not be getting through. If you're saying that your agent is dispatching SNMP notifications (as opposed to responses to a Get request) then either your config is wrong or you have been hacked.
    – Lightness Races in Orbit
    Nov 19 at 12:43










  • I found, it's something related to MIB, reading something. I really don't understand snmp well, I don't know what the server is trying to read from internet.
    – Arvy
    Nov 19 at 12:50








  • 1




    MIB definitions don't autonomously trigger SNMP requests. If you can provide a packet capture we'll at least know what the traffic is, though that likely won't tell us why.
    – Lightness Races in Orbit
    Nov 19 at 13:10










  • After a reboot, the problem is fixed. I'll monitor. Thanks.
    – Arvy
    Nov 19 at 15:22




















up vote
0
down vote













I think I found the problem. This IP is related to MIB, reading something from an unreachable IP.



If I block it (iptables), "journal" starts to log every 2-3 seconds:



Nov 19 10:33:44 loki snmpd[18942]: send response: Failure in sendto

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysDescr.0

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.1

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysObjectID.0

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.2

Nov 19 10:33:44 loki snmpd[18942]:     -- DISMAN-EVENT-MIB::sysUpTimeInstance

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.3

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysContact.0

(....)


I just don't know how to fix... at least, server is not compromissed.






share|improve this answer





















  • The log seems clear: someone is polling your snmpd. Your server IS likely compromised. You have not proven your assertion "Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in)" with netstat -an or iptables.
    – Gambit Support
    Nov 19 at 13:52










  • tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 427/snmpd udp 0 0 127.0.0.1:161 0.0.0.0:* 427/snmpd
    – Arvy
    Nov 19 at 15:21








  • 1




    At least these are responses, not notifications
    – Lightness Races in Orbit
    Nov 19 at 15:32






  • 1




    Arvy, showing that it listens on 127.0.0.1 DOES NOT prove that it does not listen on other ports. What does this say "netstat -an | grep :161"?
    – Gambit Support
    Nov 19 at 17:07










  • Only udp 0 0 127.0.0.1:161 0.0.0.0:* - anyway, after the reboot, no more strange traffic detected.
    – Arvy
    Nov 19 at 18:51













Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53373870%2fstrange-snmpd-traffic%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted










Are these notifications/traps, or responses to Get requests?




Responses



Someone is polling your SNMP service, it's as simple as that.



If you don't want them to do that, firewall them (or it) off.



It's common for public services to be polled by random strangers, sometimes as a result of an automated probe but sometimes for explicitly malicious purposes. That's why we have firewalls.



Neither ICMP ping nor HTTP has anything to do with it; SNMP responses go to the same address (IP & port) that the requests came from — the choice of port is effectively arbitrary, but it would seem that the originator has specifically decided to use port 80 because this is commonly an open port, and does not draw much attention. This in itself is frankly suspicious because, unless there are strange technical constraints, an authentic and authorised SNMP manager would be using a port more conventionally allocated to SNMP traffic (like UDP 162).




Traps (notifications)



If there is no evidence of incoming requests triggering this traffic, then your SNMP Agent is doing this on its own. Did you configure it to do so? If not, you may have been hacked and somebody else has configured it this way instead.



You can still firewall it off (the firewall goes both ways!) though you really should be checking into what happened.




Otherwise



If there are no requests incoming, and your SNMP manager is not configured to send notifications to 144.168.68.43, then do you have another SNMP manager you're not aware of? Some piece of software you installed that has SNMP support? Otherwise you're really in trouble.






share|improve this answer























  • No, firewall is closed. The traffic is from my server (outgoing).
    – Arvy
    Nov 19 at 12:42










  • @Arvy If it were closed, the requests would not be getting through. If you're saying that your agent is dispatching SNMP notifications (as opposed to responses to a Get request) then either your config is wrong or you have been hacked.
    – Lightness Races in Orbit
    Nov 19 at 12:43










  • I found, it's something related to MIB, reading something. I really don't understand snmp well, I don't know what the server is trying to read from internet.
    – Arvy
    Nov 19 at 12:50








  • 1




    MIB definitions don't autonomously trigger SNMP requests. If you can provide a packet capture we'll at least know what the traffic is, though that likely won't tell us why.
    – Lightness Races in Orbit
    Nov 19 at 13:10










  • After a reboot, the problem is fixed. I'll monitor. Thanks.
    – Arvy
    Nov 19 at 15:22

















up vote
1
down vote



accepted










Are these notifications/traps, or responses to Get requests?




Responses



Someone is polling your SNMP service, it's as simple as that.



If you don't want them to do that, firewall them (or it) off.



It's common for public services to be polled by random strangers, sometimes as a result of an automated probe but sometimes for explicitly malicious purposes. That's why we have firewalls.



Neither ICMP ping nor HTTP has anything to do with it; SNMP responses go to the same address (IP & port) that the requests came from — the choice of port is effectively arbitrary, but it would seem that the originator has specifically decided to use port 80 because this is commonly an open port, and does not draw much attention. This in itself is frankly suspicious because, unless there are strange technical constraints, an authentic and authorised SNMP manager would be using a port more conventionally allocated to SNMP traffic (like UDP 162).




Traps (notifications)



If there is no evidence of incoming requests triggering this traffic, then your SNMP Agent is doing this on its own. Did you configure it to do so? If not, you may have been hacked and somebody else has configured it this way instead.



You can still firewall it off (the firewall goes both ways!) though you really should be checking into what happened.




Otherwise



If there are no requests incoming, and your SNMP manager is not configured to send notifications to 144.168.68.43, then do you have another SNMP manager you're not aware of? Some piece of software you installed that has SNMP support? Otherwise you're really in trouble.






share|improve this answer























  • No, firewall is closed. The traffic is from my server (outgoing).
    – Arvy
    Nov 19 at 12:42










  • @Arvy If it were closed, the requests would not be getting through. If you're saying that your agent is dispatching SNMP notifications (as opposed to responses to a Get request) then either your config is wrong or you have been hacked.
    – Lightness Races in Orbit
    Nov 19 at 12:43










  • I found, it's something related to MIB, reading something. I really don't understand snmp well, I don't know what the server is trying to read from internet.
    – Arvy
    Nov 19 at 12:50








  • 1




    MIB definitions don't autonomously trigger SNMP requests. If you can provide a packet capture we'll at least know what the traffic is, though that likely won't tell us why.
    – Lightness Races in Orbit
    Nov 19 at 13:10










  • After a reboot, the problem is fixed. I'll monitor. Thanks.
    – Arvy
    Nov 19 at 15:22















up vote
1
down vote



accepted







up vote
1
down vote



accepted






Are these notifications/traps, or responses to Get requests?




Responses



Someone is polling your SNMP service, it's as simple as that.



If you don't want them to do that, firewall them (or it) off.



It's common for public services to be polled by random strangers, sometimes as a result of an automated probe but sometimes for explicitly malicious purposes. That's why we have firewalls.



Neither ICMP ping nor HTTP has anything to do with it; SNMP responses go to the same address (IP & port) that the requests came from — the choice of port is effectively arbitrary, but it would seem that the originator has specifically decided to use port 80 because this is commonly an open port, and does not draw much attention. This in itself is frankly suspicious because, unless there are strange technical constraints, an authentic and authorised SNMP manager would be using a port more conventionally allocated to SNMP traffic (like UDP 162).




Traps (notifications)



If there is no evidence of incoming requests triggering this traffic, then your SNMP Agent is doing this on its own. Did you configure it to do so? If not, you may have been hacked and somebody else has configured it this way instead.



You can still firewall it off (the firewall goes both ways!) though you really should be checking into what happened.




Otherwise



If there are no requests incoming, and your SNMP manager is not configured to send notifications to 144.168.68.43, then do you have another SNMP manager you're not aware of? Some piece of software you installed that has SNMP support? Otherwise you're really in trouble.






share|improve this answer














Are these notifications/traps, or responses to Get requests?




Responses



Someone is polling your SNMP service, it's as simple as that.



If you don't want them to do that, firewall them (or it) off.



It's common for public services to be polled by random strangers, sometimes as a result of an automated probe but sometimes for explicitly malicious purposes. That's why we have firewalls.



Neither ICMP ping nor HTTP has anything to do with it; SNMP responses go to the same address (IP & port) that the requests came from — the choice of port is effectively arbitrary, but it would seem that the originator has specifically decided to use port 80 because this is commonly an open port, and does not draw much attention. This in itself is frankly suspicious because, unless there are strange technical constraints, an authentic and authorised SNMP manager would be using a port more conventionally allocated to SNMP traffic (like UDP 162).




Traps (notifications)



If there is no evidence of incoming requests triggering this traffic, then your SNMP Agent is doing this on its own. Did you configure it to do so? If not, you may have been hacked and somebody else has configured it this way instead.



You can still firewall it off (the firewall goes both ways!) though you really should be checking into what happened.




Otherwise



If there are no requests incoming, and your SNMP manager is not configured to send notifications to 144.168.68.43, then do you have another SNMP manager you're not aware of? Some piece of software you installed that has SNMP support? Otherwise you're really in trouble.







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 19 at 12:42

























answered Nov 19 at 12:40









Lightness Races in Orbit

278k51445763




278k51445763












  • No, firewall is closed. The traffic is from my server (outgoing).
    – Arvy
    Nov 19 at 12:42










  • @Arvy If it were closed, the requests would not be getting through. If you're saying that your agent is dispatching SNMP notifications (as opposed to responses to a Get request) then either your config is wrong or you have been hacked.
    – Lightness Races in Orbit
    Nov 19 at 12:43










  • I found, it's something related to MIB, reading something. I really don't understand snmp well, I don't know what the server is trying to read from internet.
    – Arvy
    Nov 19 at 12:50








  • 1




    MIB definitions don't autonomously trigger SNMP requests. If you can provide a packet capture we'll at least know what the traffic is, though that likely won't tell us why.
    – Lightness Races in Orbit
    Nov 19 at 13:10










  • After a reboot, the problem is fixed. I'll monitor. Thanks.
    – Arvy
    Nov 19 at 15:22




















  • No, firewall is closed. The traffic is from my server (outgoing).
    – Arvy
    Nov 19 at 12:42










  • @Arvy If it were closed, the requests would not be getting through. If you're saying that your agent is dispatching SNMP notifications (as opposed to responses to a Get request) then either your config is wrong or you have been hacked.
    – Lightness Races in Orbit
    Nov 19 at 12:43










  • I found, it's something related to MIB, reading something. I really don't understand snmp well, I don't know what the server is trying to read from internet.
    – Arvy
    Nov 19 at 12:50








  • 1




    MIB definitions don't autonomously trigger SNMP requests. If you can provide a packet capture we'll at least know what the traffic is, though that likely won't tell us why.
    – Lightness Races in Orbit
    Nov 19 at 13:10










  • After a reboot, the problem is fixed. I'll monitor. Thanks.
    – Arvy
    Nov 19 at 15:22


















No, firewall is closed. The traffic is from my server (outgoing).
– Arvy
Nov 19 at 12:42




No, firewall is closed. The traffic is from my server (outgoing).
– Arvy
Nov 19 at 12:42












@Arvy If it were closed, the requests would not be getting through. If you're saying that your agent is dispatching SNMP notifications (as opposed to responses to a Get request) then either your config is wrong or you have been hacked.
– Lightness Races in Orbit
Nov 19 at 12:43




@Arvy If it were closed, the requests would not be getting through. If you're saying that your agent is dispatching SNMP notifications (as opposed to responses to a Get request) then either your config is wrong or you have been hacked.
– Lightness Races in Orbit
Nov 19 at 12:43












I found, it's something related to MIB, reading something. I really don't understand snmp well, I don't know what the server is trying to read from internet.
– Arvy
Nov 19 at 12:50






I found, it's something related to MIB, reading something. I really don't understand snmp well, I don't know what the server is trying to read from internet.
– Arvy
Nov 19 at 12:50






1




1




MIB definitions don't autonomously trigger SNMP requests. If you can provide a packet capture we'll at least know what the traffic is, though that likely won't tell us why.
– Lightness Races in Orbit
Nov 19 at 13:10




MIB definitions don't autonomously trigger SNMP requests. If you can provide a packet capture we'll at least know what the traffic is, though that likely won't tell us why.
– Lightness Races in Orbit
Nov 19 at 13:10












After a reboot, the problem is fixed. I'll monitor. Thanks.
– Arvy
Nov 19 at 15:22






After a reboot, the problem is fixed. I'll monitor. Thanks.
– Arvy
Nov 19 at 15:22














up vote
0
down vote













I think I found the problem. This IP is related to MIB, reading something from an unreachable IP.



If I block it (iptables), "journal" starts to log every 2-3 seconds:



Nov 19 10:33:44 loki snmpd[18942]: send response: Failure in sendto

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysDescr.0

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.1

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysObjectID.0

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.2

Nov 19 10:33:44 loki snmpd[18942]:     -- DISMAN-EVENT-MIB::sysUpTimeInstance

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.3

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysContact.0

(....)


I just don't know how to fix... at least, server is not compromissed.






share|improve this answer





















  • The log seems clear: someone is polling your snmpd. Your server IS likely compromised. You have not proven your assertion "Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in)" with netstat -an or iptables.
    – Gambit Support
    Nov 19 at 13:52










  • tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 427/snmpd udp 0 0 127.0.0.1:161 0.0.0.0:* 427/snmpd
    – Arvy
    Nov 19 at 15:21








  • 1




    At least these are responses, not notifications
    – Lightness Races in Orbit
    Nov 19 at 15:32






  • 1




    Arvy, showing that it listens on 127.0.0.1 DOES NOT prove that it does not listen on other ports. What does this say "netstat -an | grep :161"?
    – Gambit Support
    Nov 19 at 17:07










  • Only udp 0 0 127.0.0.1:161 0.0.0.0:* - anyway, after the reboot, no more strange traffic detected.
    – Arvy
    Nov 19 at 18:51

















up vote
0
down vote













I think I found the problem. This IP is related to MIB, reading something from an unreachable IP.



If I block it (iptables), "journal" starts to log every 2-3 seconds:



Nov 19 10:33:44 loki snmpd[18942]: send response: Failure in sendto

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysDescr.0

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.1

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysObjectID.0

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.2

Nov 19 10:33:44 loki snmpd[18942]:     -- DISMAN-EVENT-MIB::sysUpTimeInstance

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.3

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysContact.0

(....)


I just don't know how to fix... at least, server is not compromissed.






share|improve this answer





















  • The log seems clear: someone is polling your snmpd. Your server IS likely compromised. You have not proven your assertion "Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in)" with netstat -an or iptables.
    – Gambit Support
    Nov 19 at 13:52










  • tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 427/snmpd udp 0 0 127.0.0.1:161 0.0.0.0:* 427/snmpd
    – Arvy
    Nov 19 at 15:21








  • 1




    At least these are responses, not notifications
    – Lightness Races in Orbit
    Nov 19 at 15:32






  • 1




    Arvy, showing that it listens on 127.0.0.1 DOES NOT prove that it does not listen on other ports. What does this say "netstat -an | grep :161"?
    – Gambit Support
    Nov 19 at 17:07










  • Only udp 0 0 127.0.0.1:161 0.0.0.0:* - anyway, after the reboot, no more strange traffic detected.
    – Arvy
    Nov 19 at 18:51















up vote
0
down vote










up vote
0
down vote









I think I found the problem. This IP is related to MIB, reading something from an unreachable IP.



If I block it (iptables), "journal" starts to log every 2-3 seconds:



Nov 19 10:33:44 loki snmpd[18942]: send response: Failure in sendto

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysDescr.0

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.1

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysObjectID.0

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.2

Nov 19 10:33:44 loki snmpd[18942]:     -- DISMAN-EVENT-MIB::sysUpTimeInstance

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.3

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysContact.0

(....)


I just don't know how to fix... at least, server is not compromissed.






share|improve this answer












I think I found the problem. This IP is related to MIB, reading something from an unreachable IP.



If I block it (iptables), "journal" starts to log every 2-3 seconds:



Nov 19 10:33:44 loki snmpd[18942]: send response: Failure in sendto

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysDescr.0

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.1

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysObjectID.0

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.2

Nov 19 10:33:44 loki snmpd[18942]:     -- DISMAN-EVENT-MIB::sysUpTimeInstance

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysORDescr.3

Nov 19 10:33:44 loki snmpd[18942]:     -- SNMPv2-MIB::sysContact.0

(....)


I just don't know how to fix... at least, server is not compromissed.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 19 at 12:49









Arvy

4321921




4321921












  • The log seems clear: someone is polling your snmpd. Your server IS likely compromised. You have not proven your assertion "Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in)" with netstat -an or iptables.
    – Gambit Support
    Nov 19 at 13:52










  • tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 427/snmpd udp 0 0 127.0.0.1:161 0.0.0.0:* 427/snmpd
    – Arvy
    Nov 19 at 15:21








  • 1




    At least these are responses, not notifications
    – Lightness Races in Orbit
    Nov 19 at 15:32






  • 1




    Arvy, showing that it listens on 127.0.0.1 DOES NOT prove that it does not listen on other ports. What does this say "netstat -an | grep :161"?
    – Gambit Support
    Nov 19 at 17:07










  • Only udp 0 0 127.0.0.1:161 0.0.0.0:* - anyway, after the reboot, no more strange traffic detected.
    – Arvy
    Nov 19 at 18:51




















  • The log seems clear: someone is polling your snmpd. Your server IS likely compromised. You have not proven your assertion "Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in)" with netstat -an or iptables.
    – Gambit Support
    Nov 19 at 13:52










  • tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 427/snmpd udp 0 0 127.0.0.1:161 0.0.0.0:* 427/snmpd
    – Arvy
    Nov 19 at 15:21








  • 1




    At least these are responses, not notifications
    – Lightness Races in Orbit
    Nov 19 at 15:32






  • 1




    Arvy, showing that it listens on 127.0.0.1 DOES NOT prove that it does not listen on other ports. What does this say "netstat -an | grep :161"?
    – Gambit Support
    Nov 19 at 17:07










  • Only udp 0 0 127.0.0.1:161 0.0.0.0:* - anyway, after the reboot, no more strange traffic detected.
    – Arvy
    Nov 19 at 18:51


















The log seems clear: someone is polling your snmpd. Your server IS likely compromised. You have not proven your assertion "Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in)" with netstat -an or iptables.
– Gambit Support
Nov 19 at 13:52




The log seems clear: someone is polling your snmpd. Your server IS likely compromised. You have not proven your assertion "Snmpd is bind to 127.0.0.1 and blocked using iptables (udp in)" with netstat -an or iptables.
– Gambit Support
Nov 19 at 13:52












tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 427/snmpd udp 0 0 127.0.0.1:161 0.0.0.0:* 427/snmpd
– Arvy
Nov 19 at 15:21






tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 427/snmpd udp 0 0 127.0.0.1:161 0.0.0.0:* 427/snmpd
– Arvy
Nov 19 at 15:21






1




1




At least these are responses, not notifications
– Lightness Races in Orbit
Nov 19 at 15:32




At least these are responses, not notifications
– Lightness Races in Orbit
Nov 19 at 15:32




1




1




Arvy, showing that it listens on 127.0.0.1 DOES NOT prove that it does not listen on other ports. What does this say "netstat -an | grep :161"?
– Gambit Support
Nov 19 at 17:07




Arvy, showing that it listens on 127.0.0.1 DOES NOT prove that it does not listen on other ports. What does this say "netstat -an | grep :161"?
– Gambit Support
Nov 19 at 17:07












Only udp 0 0 127.0.0.1:161 0.0.0.0:* - anyway, after the reboot, no more strange traffic detected.
– Arvy
Nov 19 at 18:51






Only udp 0 0 127.0.0.1:161 0.0.0.0:* - anyway, after the reboot, no more strange traffic detected.
– Arvy
Nov 19 at 18:51




















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53373870%2fstrange-snmpd-traffic%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Wiesbaden

Image
Wappen Deutschlandkarte 50.0825 8.24 117 Koordinaten: 50° 5′  N , 8° 14′  O Basisdaten Bundesland: Hessen Regierungsbezirk: Darmstadt Höhe: 117 m ü. NHN Fläche: 203,93 km 2 Einwohner: 278.654 (31. Dez. 2017) [1] Bevölkerungsdichte: 1366 Einwohner je km 2 Postleitzahlen: 65183–65207, 55246, 55252 Vorlage:Infobox Gemeinde in Deutschland/Wartung/PLZ enthält Text Vorwahlen: 0611, 06122, 06127, 06134 Kfz-Kennzeichen: WI Gemeindeschlüssel: 06 4 14 000 LOCODE: DE WIB NUTS: DE714 Stadtgliederung: 26 Ortsbezirke Adresse der Stadtverwaltung: Schlossplatz 6 65183 Wiesbaden Webpräsenz: www.wiesbaden.de Oberbürgermeister: Sven Gerich (SPD) Lage der Landeshauptstadt Wiesbaden in Hessen und im Regierungsbezirk Darmstadt Offizielles Logo der Landeshauptstadt Wiesbaden Flagge der Landeshauptstadt Wiesbaden Wiesbaden is
Read more

Marschland

Image
Kilometerweite Marsch in den Vier- und Marschlanden am Elbdeich Die Wedeler Marschlandschaft in Schleswig-Holstein Der Hadelner Kanal zur Entwässerung der Marsch Die tief gelegene Marsch und ein Entwässerungskanal Das Schöpfwerk Otterndorf im Land Hadeln zur Entwässerung der Medem verfügte damals bereits über die größte Kreiselpumpe Europas. Das Schöpfwerk in Neuhaus für die Aue und des Neuhaus-Bülkauer Kanals Als Marsch(land) (v. niederdt., altsächs. mersc ) – auch Masch , Mersch oder Schwemmland genannt – bezeichnet man eine nacheiszeitlich entstandene geomorphologische Landform im Gebiet der nordwestdeutschen Küsten und Flüsse sowie vergleichbare Landformen weltweit. Inhaltsverzeichnis 1 Landschaft 2 Entstehung 3 Marschböden 4 Nutzung 5 Marschgebiete in Deutschland 6 Siehe auch 7 Literatur 8 Weblinks 9 Einzelnachweise Landschaft | Marschen sind generell flache Landstriche ohne natürliche Erhebungen. Si
Read more

Dieringhausen

Image
Dieringhausen Stadt Gummersbach 50.982777777778 7.5316666666667 165 Koordinaten: 50° 58′ 58″  N , 7° 31′ 54″  O Höhe: 165  (160–245)  m Einwohner: 5055  (30. Jun. 2016) Postleitzahl: 51645 Vorwahl: 02261 Lage von Dieringhausen in Gummersbach Im Hohl ca. 1927–1930 Ansicht von Südwesten bei Bünghausen Dieringhausen (im örtlichen Dialekt Dierkesen ) ist ein Ortsteil von Gummersbach im Oberbergischen Kreis, Regierungsbezirk Köln, Nordrhein-Westfalen (Deutschland). Inhaltsverzeichnis 1 Geographie 2 Geschichte 3 Kultur 3.1 Sehenswürdigkeiten 3.2 Regelmäßige Veranstaltungen 4 Infrastruktur und Wirtschaft 4.1 Verkehr 4.1.1 Schienen- und Busverkehr 4.1.2 Straßen 4.2 Öffentliche Einrichtungen 4.2.1 Schulen und Bildungseinrichtungen 4.2.2 Kirchliche Einrichtungen 5 Persönlichkeiten 5.1 In Dieringhausen geboren 5.2 In Dieringhausen gelebt 6 Einzelnachweise 7
Read more