Re: Code red II crashes cisco 678

From: JAX (jaxat_private)
Date: Mon Aug 06 2001 - 08:10:24 PDT

  • Next message: Vladimir Kraljevic: "RE: Code red II crashes cisco 678"

    Hi Sam , I have tried all those things , setting filters and all that .
    I have the web disabled anyway :
    
    cbos#sh web
    WEB Configuration
    Is not enabled
    Currently accepts connections only from 10.0.0.2
    Currently uses port 81
    
    I have a fixed IP address so setting the filter was not so hard. Anyway my
    ISP has set a filter on port 80 for all teh custommers until they are sure
    that Code Red vuln. is patched.
    I still get that disconect on ppp ...
    Any other ideeas ?
    
    
    From: "Sam" <samat_private>
    Subject: Re: Code red II crashes cisco 678
    
    
    > While I haven't had a chance to try and reproduce this on my 675 running
    > CBOS 2.4.2, I do have a filter put in place that blocks access to port 80
    > on the modem only.  You might try using the 'set filter' command that's
    > part of CBOS.
    >
    > Placing a filter on a IP that is dynamic tends to be a pain, but, it will
    > at least keep your modem from crashing.
    >
    > -Sam
    >
    > On Mon, 6 Aug 2001, JAX wrote:
    >
    > > Hi Geo .
    > >
    > >     Thanx for the advice but it's still crashing. I even changed the web
    > > port to 81 , they say it's helping
    > > but it did not help me . My Cbos still looses the ppp conection :
    > >
    > > 25 000:00:42:48 PPP        Info       PPP Termination Acknowledgement on
    > > wan0-0
    > > 26 000:00:42:48 PPP        Info       PPP Down Event on wan0-0
    > >
    > > Any ideea where this is comming from ?
    > >
    > > George Sas
    > > ----- Original Message -----
    > > From: "Geo." <georgerat_private>
    > > Sent: Monday, August 06, 2001 4:43 AM
    > > Subject: Code red II crashes cisco 678
    > >
    > >
    > > > All day I've had customers calling with cisco 678 routers running cbos
    > > 2.4.2
    > > > with the web interface disabled. Seems their routers have been
    crashing.
    > > >
    > > > We traced this back to the code red worm. For some reason even with
    web
    > > > disabled on these routers port 80 remains open. Simply running a port
    scan
    > > > and cutting off the connection is enough to crash the router. Locks up
    > > > solid.
    > > >
    > > > I also found a solution, by doing a
    > > >
    > > > set web remote ipaddress
    > > >
    > > > where ipaddress is one of their internal IP's you can prevent outside
    > > > addresses from being able to crash the router.
    > > >
    > > > Just a heads up guys, if you are seeing 678's crashing, give it a try,
    > > it's
    > > > working here.
    > > >
    > > > Geo.
    > > >
    > > >
    > > >
    > > >
    > >
    > >
    > >
    >
    >
    



    This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 08:27:15 PDT