Re: hacked box research

From: Jeremy Sanders (jsandersat_private)
Date: Mon Jun 25 2001 - 06:54:10 PDT

  • Next message: jason: "Unicode Decode"

    There is also the possibility that they just brute forced your password if you didn't have an acl on the vty lines. I like to secure a router by disallowing telnet/ssh access completely. Connect a console cable to a secure linux box w/ keyed ssh access only. Then you can ssh into the linux box and minicom the router.
    
    Excessive collisions just mean your getting too many ethernet collisions on the segment that the fast ethernet 0/0 port is attached to. Is this a message you get continually or just at boot-up. If it is only at boot-up I would not worry about it. If it happens all the time, you probably need to look into it. What is the router plugged in to? A switch or hub, 10 meg or 100 meg? What else is using the segment? It would probably be a good idea to setup a sniffer(ie tcpdump or snort) to look at the traffic on the segment behind the router if you have been previously compromised to see if they left something else hanging around that is generating traffic.
    
    Hope this helps,
    
    Jeremy Sanders, CCNP CNE
    Advanced Systems Engineer
    New South Federal Savings Bank
    
    >>> "Lowell" <lowelltat_private> 06/22/01 03:48PM >>>
    Some time ago we had some hacker problems here. We have cleared it up with
    the help of securityreports.com putting in a bunch of ACL's. I have found
    out the hard way if you do not know what a access list is, then you need to.
    
    What hackers did:
    Fed in the Lion worm to deface index pages.
    Attempted to gain total control of router by changing vty to 1 and they were
    going to be the one!
    once we disallowed all vty programming they began a dos attack
    
    The question I as wondering was does anyone know how the were able to get
    into the router? What is a excessive collision?
    
    I had restarted the router when I had noticed a strange Excessive collision.
    As soon as the router came back on line this is what is logged.
    
    00:01:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0.1,
    changed s
    tate to up
    00:01:41: %AMDP2_FE-5-COLL: AMDP2/FE(0/0), Excessive collisions, TDR=5,
    TRC=0.
    00:25:43: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
    backbone talk to number )
    00:26:00: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
    backbone talk to number )
    00:26:08: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my
    backbone talk to number )
    
    I changed the password after which the router logged 27,000 attempts to
    remote program in 30 min
    After this I had my provider block all remote access
    
    Since putting the acl's in place we have not had any problem. I am just
    curious how they  got in.
    
    Lowell
    



    This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 12:39:22 PDT