Security Incidents mailing list archives
Strange Cisco Router Logs
From: "Radi Tzvetkov" <radit () logisticare com>
Date: Fri, 20 Jul 2007 15:49:53 -0400
Hello list, I had a power outage on one of my routers. After power came back the router logged the messages below. I know there was nobody on the console and there is no way some one from the team to do the change. Has anyone seen something like it? *Jul 15 14:47:26.587: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0 State changed to: Initialized *Jul 15 14:47:26.591: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0 State changed to: Enabled sslinit fn *Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Initialized *Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Disabled *Jul 15 14:47:31.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up *Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up *Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up *Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up *Jul 15 09:47:32: %SYS-6-CLOCKUPDATE: System clock has been updated from 14:47:32 UTC Sun Jul 15 2007 to 09:47:32 EST Sun Jul 15 2007, configured from console by console. *Jul 15 10:47:32: %SYS-6-CLOCKUPDATE: System clock has been updated from 09:47:32 EST Sun Jul 15 2007 to 10:47:32 EDT Sun Jul 15 2007, configured from console by console. *Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100101, changed state to down *Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up *Jul 15 10:47:37: %SYS-5-CONFIG_I: Configured from memory by console *Jul 15 10:47:37: %FW-6-INIT: Firewall inspection startup completed; beginning operation. *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20 *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:crypto map NiStTeSt1 10 ipsec-manual *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:match address 199 *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:set peer 20.20.20.20 *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:exit *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no access-list 199 *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no crypto map NiStTeSt1 *Jul 15 10:47:38: %SYS-5-RESTART: System restarted -- Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 24-Apr-07 16:18 by prod_rel_team *Jul 15 10:47:38: %SNMP-5-COLDSTART: SNMP agent on host ROUTER is undergoing a cold start ---------------------------------------------------------- Radi Tzvetkoff Network Engineer II Provado Technologies A Logisticare Company 503 Oak Place, Ste. 550 Atlanta, GA 30349 e-mail: radit () logisticare com tel: 800-486-7642 ext 493 cell: 678-429-6880 ---------------------------------------------------------- -----Original Message----- From: James E. Jones [mailto:ceriofag () yahoo com] Sent: Wednesday, July 11, 2007 12:07 PM To: incidents () securityfocus com Subject: 0day linux 2.6 /dev/mem rootkit found I found one interesting tool on my server, with the name 'Boxer 0.99 BETA3'. It's protected by ELFuck linux executables obfuscator. Google doesn't know anything about it. Now, it is available at http://surfall.net/rel.tar.gz (ELFuck password: 'notdead') Anybody seen it before? ________________________________________________________________________ ____________ Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool. http://autos.yahoo.com/carfinder/ ________________________________________________________________________ ____________ Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. http://mobile.yahoo.com/go?refer=1GNXIC ------------------------------------------------------------------------ - This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8 E ------------------------------------------------------------------------ -- ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E --------------------------------------------------------------------------
Current thread:
- 0day linux 2.6 /dev/mem rootkit found James E. Jones (Jul 12)
- Strange Cisco Router Logs Radi Tzvetkov (Jul 22)
- RE: Strange Cisco Router Logs Dario Ciccarone (dciccaro) (Jul 22)
- <Possible follow-ups>
- Re: 0day linux 2.6 /dev/mem rootkit found lists (Jul 23)
- Strange Cisco Router Logs Radi Tzvetkov (Jul 22)