Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Strange Cisco Router Logs

From: "Radi Tzvetkov" <radit () logisticare com>
Date: Fri, 20 Jul 2007 15:49:53 -0400
Hello list,

I had a power outage on one of my routers. After power came back the
router logged the messages below. I know there was nobody on the console
and there is no way some one from the team to do the change. Has anyone
seen something like it? 
 


*Jul 15 14:47:26.587: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0  State
changed to: Initialized
*Jul 15 14:47:26.591: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0  State
changed to: Enabled sslinit fn

*Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0
State changed to: Initialized
*Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0
State changed to: Disabled
*Jul 15 14:47:31.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface
VoIP-Null0, changed state to up
*Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed
state to up
*Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed
state to up
*Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up
*Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
*Jul 15 09:47:32: %SYS-6-CLOCKUPDATE: System clock has been updated from
14:47:32 UTC Sun Jul 15 2007 to 09:47:32 EST Sun Jul 15 2007, configured
from console by console.
*Jul 15 10:47:32: %SYS-6-CLOCKUPDATE: System clock has been updated from
09:47:32 EST Sun Jul 15 2007 to 10:47:32 EDT Sun Jul 15 2007, configured
from console by console.
*Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel100101, changed state to down
*Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0,
changed state to up
*Jul 15 10:47:37: %SYS-5-CONFIG_I: Configured from memory by console
*Jul 15 10:47:37: %FW-6-INIT: Firewall inspection startup completed;
beginning operation.
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:crypto map NiStTeSt1 10 ipsec-manual
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:match address 199

*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:set peer 20.20.20.20

*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:exit
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:no access-list 199
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:no crypto map NiStTeSt1
*Jul 15 10:47:38: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(13b), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 24-Apr-07 16:18 by prod_rel_team
*Jul 15 10:47:38: %SNMP-5-COLDSTART: SNMP agent on host ROUTER is
undergoing a cold start

----------------------------------------------------------
Radi Tzvetkoff
Network Engineer II
Provado Technologies
A Logisticare Company
503 Oak Place, Ste. 550
Atlanta, GA 30349
e-mail: radit () logisticare com
tel: 800-486-7642 ext 493
cell: 678-429-6880
----------------------------------------------------------

-----Original Message-----
From: James E. Jones [mailto:ceriofag () yahoo com] 
Sent: Wednesday, July 11, 2007 12:07 PM
To: incidents () securityfocus com
Subject: 0day linux 2.6 /dev/mem rootkit found

I found one interesting tool on my server, with the
name 'Boxer 0.99 BETA3'. It's protected by ELFuck
linux executables obfuscator. Google doesn't know
anything about it.
Now, it is available at http://surfall.net/rel.tar.gz
(ELFuck password: 'notdead')
Anybody seen it before?


       
________________________________________________________________________
____________
Choose the right car based on your needs.  Check out
Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/


       
________________________________________________________________________
____________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket:
mail, news, photos & more. 
http://mobile.yahoo.com/go?refer=1GNXIC

------------------------------------------------------------------------
-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper 
It's as simple as placing additional SQL commands into a Web Form input
box 
giving hackers complete access to all your backend systems! Firewalls
and IDS 
will not stop such attacks because SQL Injections are NOT seen as
intruders. 
Download this *FREE* white paper from SPI Dynamics for a complete guide
to protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8
E
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: