Security Incidents mailing list archives
hacked box research
From: "Lowell" <lowellt () eetronics com>
Date: Fri, 22 Jun 2001 15:48:19 -0500
Some time ago we had some hacker problems here. We have cleared it up with the help of securityreports.com putting in a bunch of ACL's. I have found out the hard way if you do not know what a access list is, then you need to. What hackers did: Fed in the Lion worm to deface index pages. Attempted to gain total control of router by changing vty to 1 and they were going to be the one! once we disallowed all vty programming they began a dos attack The question I as wondering was does anyone know how the were able to get into the router? What is a excessive collision? I had restarted the router when I had noticed a strange Excessive collision. As soon as the router came back on line this is what is logged. 00:01:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0.1, changed s tate to up 00:01:41: %AMDP2_FE-5-COLL: AMDP2/FE(0/0), Excessive collisions, TDR=5, TRC=0. 00:25:43: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my backbone talk to number ) 00:26:00: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my backbone talk to number ) 00:26:08: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my backbone talk to number ) I changed the password after which the router logged 27,000 attempts to remote program in 30 min After this I had my provider block all remote access Since putting the acl's in place we have not had any problem. I am just curious how they got in. Lowell
<<attachment: winmail.dat>>
Current thread:
- hacked box research Lowell (Jun 24)
- Re: hacked box research Hugo van der Kooij (Jun 25)
- <Possible follow-ups>
- Re: hacked box research Jeremy Sanders (Jun 25)