Re: compromised cisco

[Gordon Ewasiuk <gewasiuk () gnmc net>]

Thomas,

Sorry to hear about the router...Rest of my reply is in-line...

On Thu, 25 Apr 2002, Thomas Springer wrote:

> Obviously, one of our external cisco-devices with default-password set was
> compromised:
>
> Anybody knows a script/scanner doing this stuff?

Haven't heard of one specifically for Cisco routers - but the ole port
scan for tcp/23 works wonders.  Then using any number of scripts to grab
service banners.  Such scripts can be found at packetstorm, neworder, and
many other places.  Links:

http://www.packetstormsecurity.com
http://neworder.box.sk   (possible pr0n popup...view in private)

> I know tools like CScan, but none of them changes password and logon-message.
> And anybody has a clue about the password?? (it was, yeah, 'cisco' - but
> the hacker changed it...)

Time for some password recovery...

http://www.cisco.com/warp/public/474/

It's a pretty painless process.  

Good luck on the router.

-gordo



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com