Some time ago we had some hacker problems here. We have cleared it up with the help of securityreports.com putting in a bunch of ACL's. I have found out the hard way if you do not know what a access list is, then you need to. What hackers did: Fed in the Lion worm to deface index pages. Attempted to gain total control of router by changing vty to 1 and they were going to be the one! once we disallowed all vty programming they began a dos attack The question I as wondering was does anyone know how the were able to get into the router? What is a excessive collision? I had restarted the router when I had noticed a strange Excessive collision. As soon as the router came back on line this is what is logged. 00:01:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0.1, changed s tate to up 00:01:41: %AMDP2_FE-5-COLL: AMDP2/FE(0/0), Excessive collisions, TDR=5, TRC=0. 00:25:43: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my backbone talk to number ) 00:26:00: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my backbone talk to number ) 00:26:08: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my backbone talk to number ) I changed the password after which the router logged 27,000 attempts to remote program in 30 min After this I had my provider block all remote access Since putting the acl's in place we have not had any problem. I am just curious how they got in. Lowell
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 20:05:17 PDT