From owner-freebsd-questions@FreeBSD.ORG Thu Feb 9 12:40:44 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E531A16A422 for ; Thu, 9 Feb 2006 12:40:44 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F7E543D49 for ; Thu, 9 Feb 2006 12:40:44 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id A18435CFC; Thu, 9 Feb 2006 07:40:43 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58608-05; Thu, 9 Feb 2006 07:40:42 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-67-226.ny325.east.verizon.net [68.161.67.226]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id A0F465C73; Thu, 9 Feb 2006 07:40:42 -0500 (EST) Message-ID: <43EB384E.7@mac.com> Date: Thu, 09 Feb 2006 07:40:46 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Mark Jayson Alvarez References: <20060209060705.45093.qmail@web51606.mail.yahoo.com> In-Reply-To: <20060209060705.45093.qmail@web51606.mail.yahoo.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-questions@freebsd.org Subject: Re: need some advice on our cisco routers.. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 12:40:45 -0000 Mark Jayson Alvarez wrote: >> We have a couple of cisco routers. There was one time when suddenly we cannot > login remotely via telnet. I investigate further and was shocked when I found > out that there where 16 telnet connections coming from outsiders ip addresses. I > immediately called our Director(the only cisco certified guy in the office) and > he begin kicking each of the telnet connections one by one. He then replaced > every "secret/password" and deleted all unnecessary local accounts. However, > we're still wondering how those hackers got into the system. Now this cisco's > aaa is default to a radius server. Since then, outsiders have gone away.. > Perhaps the hackers got one of the router's local accounts, and trying to brute > force their way to enable mode. Did you keep careful logs of who was connecting from where so someone could start tracking things down? Have you contacted your local police and FBI, or whatever the local equivalent is? (Don't bother unless you can claim more than $2000 or so in damages, however.) Most importantly, have you contacted Cisco? Asking for security advice about their routers here is not the right place to gain such information. cisco.com's got a large, informative site.... -- -Chuck