Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: hacked box research

From: "Jeremy Sanders" <jsanders () newsouthfederal com>
Date: Mon, 25 Jun 2001 08:54:10 -0500
There is also the possibility that they just brute forced your password if you didn't have an acl on the vty lines. I 
like to secure a router by disallowing telnet/ssh access completely. Connect a console cable to a secure linux box w/ 
keyed ssh access only. Then you can ssh into the linux box and minicom the router.

Excessive collisions just mean your getting too many ethernet collisions on the segment that the fast ethernet 0/0 port 
is attached to. Is this a message you get continually or just at boot-up. If it is only at boot-up I would not worry 
about it. If it happens all the time, you probably need to look into it. What is the router plugged in to? A switch or 
hub, 10 meg or 100 meg? What else is using the segment? It would probably be a good idea to setup a sniffer(ie tcpdump 
or snort) to look at the traffic on the segment behind the router if you have been previously compromised to see if 
they left something else hanging around that is generating traffic.

Hope this helps,

Jeremy Sanders, CCNP CNE
Advanced Systems Engineer
New South Federal Savings Bank


"Lowell" <lowellt () eetronics com> 06/22/01 03:48PM >>>

Some time ago we had some hacker problems here. We have cleared it up with
the help of securityreports.com putting in a bunch of ACL's. I have found
out the hard way if you do not know what a access list is, then you need to.

What hackers did:
Fed in the Lion worm to deface index pages.
Attempted to gain total control of router by changing vty to 1 and they were
going to be the one!
once we disallowed all vty programming they began a dos attack

The question I as wondering was does anyone know how the were able to get
into the router? What is a excessive collision?

I had restarted the router when I had noticed a strange Excessive collision.
As soon as the router came back on line this is what is logged.

00:01:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0.1,
changed s
tate to up
00:01:41: %AMDP2_FE-5-COLL: AMDP2/FE(0/0), Excessive collisions, TDR=5,
TRC=0.
00:25:43: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
backbone talk to number )
00:26:00: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
backbone talk to number )
00:26:08: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
backbone talk to number )

I changed the password after which the router logged 27,000 attempts to
remote program in 30 min
After this I had my provider block all remote access

Since putting the acl's in place we have not had any problem. I am just
curious how they  got in.

Lowell
Previous By Date Next
Previous By Thread Next

Current thread: