Re: hacked box research

From: Jeremy Sanders (jsandersat_private)
Date: Mon Jun 25 2001 - 06:54:10 PDT

Next message: jason: "Unicode Decode"

Previous message: James.A.Tuckerat_private: "IIS 4 inetinfo and system process port usage"
Maybe in reply to: Lowell: "hacked box research"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is also the possibility that they just brute forced your password if you didn't have an acl on the vty lines. I like to secure a router by disallowing telnet/ssh access completely. Connect a console cable to a secure linux box w/ keyed ssh access only. Then you can ssh into the linux box and minicom the router.

Excessive collisions just mean your getting too many ethernet collisions on the segment that the fast ethernet 0/0 port is attached to. Is this a message you get continually or just at boot-up. If it is only at boot-up I would not worry about it. If it happens all the time, you probably need to look into it. What is the router plugged in to? A switch or hub, 10 meg or 100 meg? What else is using the segment? It would probably be a good idea to setup a sniffer(ie tcpdump or snort) to look at the traffic on the segment behind the router if you have been previously compromised to see if they left something else hanging around that is generating traffic.

Hope this helps,

Jeremy Sanders, CCNP CNE
Advanced Systems Engineer
New South Federal Savings Bank

>>> "Lowell" <lowelltat_private> 06/22/01 03:48PM >>>
Some time ago we had some hacker problems here. We have cleared it up with
the help of securityreports.com putting in a bunch of ACL's. I have found
out the hard way if you do not know what a access list is, then you need to.

What hackers did:
Fed in the Lion worm to deface index pages.
Attempted to gain total control of router by changing vty to 1 and they were
going to be the one!
once we disallowed all vty programming they began a dos attack

The question I as wondering was does anyone know how the were able to get
into the router? What is a excessive collision?

I had restarted the router when I had noticed a strange Excessive collision.
As soon as the router came back on line this is what is logged.

00:01:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0.1,
changed s
tate to up
00:01:41: %AMDP2_FE-5-COLL: AMDP2/FE(0/0), Excessive collisions, TDR=5,
TRC=0.
00:25:43: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
backbone talk to number )
00:26:00: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
backbone talk to number )
00:26:08: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
backbone talk to number )

I changed the password after which the router logged 27,000 attempts to
remote program in 30 min
After this I had my provider block all remote access

Since putting the acl's in place we have not had any problem. I am just
curious how they got in.

Lowell

Next message: jason: "Unicode Decode"
Previous message: James.A.Tuckerat_private: "IIS 4 inetinfo and system process port usage"
Maybe in reply to: Lowell: "hacked box research"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 12:39:22 PDT