Re: Cisco 'rsh' attacks?

["M. Hirse" <mhirse () justin net>]

I don't know of any Cisco 'rsh' security hole.  I was able to trace the IP
you gave to a bbnplanet dial-up account.  You might want to ask their
security people to get on top of this.  They can look at the Ascend log
and detail file to determine who was this user.  This would give you some
information to take to court incase this person becomes distructive.    

Good luck
Moe

 
On Sun, 12 Apr 1998, Louis Destree wrote:

> Greetings,
>
> Over the past few days, my Cisco logs have shown several attemps of folks
> trying to rsh into my core routers.
>
> These attempts seem to happen within a very brief period of time, and so
> far there have been less than 8 attempts per 'attack' as if run by some
> sort of script.  Below is the output from the latest attempt.  You can see
> there were 4 attempts in 2 seconds.  I'm a pretty fast typist, but I don't
> think I could pull that off by hand. 
>
> Is this the 'next thing' we get to scramble about?  Anyone else having
> these?  Are there any Cisco router related security holes relating to rsh
> that these folks are trying to abuse?
>
> Thanks,
> Louis
> -- 
> Louis A. Destree
> Senior Network Engineer
> FlashNet Communications
> destree () flash net
>
>
> Apr 11 20:13:49 wormhole.flash.net 2279: %RCMD-4-RSHPORTATTEMPT: Attempted
> to connect to RSHELL from 204.167.245.140
> Apr 11 20:13:49 wormhole.flash.net 2280: %RCMD-4-RSHPORTATTEMPT: Attempted
> to connect to RSHELL from 204.167.245.140
> Apr 11 20:13:50 wormhole.flash.net 2281: %RCMD-4-RSHPORTATTEMPT: Attempted
> to connect to RSHELL from 204.167.245.140
> Apr 11 20:13:50 wormhole.flash.net 2282: %RCMD-4-RSHPORTATTEMPT: Attempted
> to connect to RSHELL from 204.167.245.140