Re: compromised cisco

[<jlewis () lewis org>]

On Thu, 25 Apr 2002, Thomas Springer wrote:

> Obviously, one of our external cisco-devices with default-password set was
> compromised:
>
> Anybody knows a script/scanner doing this stuff?
> I know tools like CScan, but none of them changes password and logon-message.
> And anybody has a clue about the password?? (it was, yeah, 'cisco' - but
> the hacker changed it...)

I didn't think there were 'default passwords' on most Cisco gear.  Someone
is running a scanner testing routers for easy passwords, and when they get
in, they lock you out?  That's definitely not nice.  Perhaps you have
syslog enabled and at least know where the access came from?

You're probably going to need console access so you can do 'password
recovery'.  If you search for 'password recovery' at cio.cisco.com, you'll
find instructions for breaking back into just about everything Cisco
makes.

-- 
----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com