There is also the possibility that they just brute forced your password if you didn't have an acl on the vty lines. I like to secure a router by disallowing telnet/ssh access completely. Connect a console cable to a secure linux box w/ keyed ssh access only. Then you can ssh into the linux box and minicom the router. Excessive collisions just mean your getting too many ethernet collisions on the segment that the fast ethernet 0/0 port is attached to. Is this a message you get continually or just at boot-up. If it is only at boot-up I would not worry about it. If it happens all the time, you probably need to look into it. What is the router plugged in to? A switch or hub, 10 meg or 100 meg? What else is using the segment? It would probably be a good idea to setup a sniffer(ie tcpdump or snort) to look at the traffic on the segment behind the router if you have been previously compromised to see if they left something else hanging around that is generating traffic. Hope this helps, Jeremy Sanders, CCNP CNE Advanced Systems Engineer New South Federal Savings Bank >>> "Lowell" <lowelltat_private> 06/22/01 03:48PM >>> Some time ago we had some hacker problems here. We have cleared it up with the help of securityreports.com putting in a bunch of ACL's. I have found out the hard way if you do not know what a access list is, then you need to. What hackers did: Fed in the Lion worm to deface index pages. Attempted to gain total control of router by changing vty to 1 and they were going to be the one! once we disallowed all vty programming they began a dos attack The question I as wondering was does anyone know how the were able to get into the router? What is a excessive collision? I had restarted the router when I had noticed a strange Excessive collision. As soon as the router came back on line this is what is logged. 00:01:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0.1, changed s tate to up 00:01:41: %AMDP2_FE-5-COLL: AMDP2/FE(0/0), Excessive collisions, TDR=5, TRC=0. 00:25:43: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my backbone talk to number ) 00:26:00: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my backbone talk to number ) 00:26:08: %SYS-5-CONFIG_I: Configured from console by vty0 (ip# was my backbone talk to number ) I changed the password after which the router logged 27,000 attempts to remote program in 30 min After this I had my provider block all remote access Since putting the acl's in place we have not had any problem. I am just curious how they got in. Lowell
This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 12:39:22 PDT