Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

hacked box research

From: "Lowell" <lowellt () eetronics com>
Date: Fri, 22 Jun 2001 15:48:19 -0500
Some time ago we had some hacker problems here. We have cleared it up with
the help of securityreports.com putting in a bunch of ACL's. I have found
out the hard way if you do not know what a access list is, then you need to.

What hackers did:
Fed in the Lion worm to deface index pages.
Attempted to gain total control of router by changing vty to 1 and they were
going to be the one!
once we disallowed all vty programming they began a dos attack

The question I as wondering was does anyone know how the were able to get
into the router? What is a excessive collision?

I had restarted the router when I had noticed a strange Excessive collision.
As soon as the router came back on line this is what is logged.

00:01:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0.1,
changed s
tate to up
00:01:41: %AMDP2_FE-5-COLL: AMDP2/FE(0/0), Excessive collisions, TDR=5,
TRC=0.
00:25:43: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
backbone talk to number )
00:26:00: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
backbone talk to number )
00:26:08: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
backbone talk to number )

I changed the password after which the router logged 27,000 attempts to
remote program in 30 min
After this I had my provider block all remote access

Since putting the acl's in place we have not had any problem. I am just
curious how they  got in.

Lowell

<<attachment: winmail.dat>>

Previous By Date Next
Previous By Thread Next

Current thread: