From owner-freebsd-questions@FreeBSD.ORG Thu Feb 9 15:57:59 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C68916A420 for ; Thu, 9 Feb 2006 15:57:59 +0000 (GMT) (envelope-from gayn.winters@bristolsystems.com) Received: from fed1rmmtao04.cox.net (fed1rmmtao04.cox.net [68.230.241.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6FC743D46 for ; Thu, 9 Feb 2006 15:57:58 +0000 (GMT) (envelope-from gayn.winters@bristolsystems.com) Received: from workdog ([68.5.182.86]) by fed1rmmtao04.cox.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP id <20060209155506.YESW17690.fed1rmmtao04.cox.net@workdog>; Thu, 9 Feb 2006 10:55:06 -0500 From: "Gayn Winters" To: "'Chuck Swiger'" , "'Mark Jayson Alvarez'" Date: Thu, 9 Feb 2006 08:00:00 -0800 Organization: Bristol Systems Inc. Message-ID: <07a301c62d91$e4d6d470$6501a8c0@workdog> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-Reply-To: <43EB384E.7@mac.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Importance: Normal Cc: freebsd-questions@freebsd.org Subject: RE: need some advice on our cisco routers.. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: gayn.winters@bristolsystems.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 15:57:59 -0000 > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Chuck Swiger > Sent: Thursday, February 09, 2006 4:41 AM > To: Mark Jayson Alvarez > Cc: freebsd-questions@freebsd.org > Subject: Re: need some advice on our cisco routers.. > > > Mark Jayson Alvarez wrote: > >> We have a couple of cisco routers. There was one time when > suddenly we cannot > > login remotely via telnet. I investigate further and was > shocked when I found > > out that there where 16 telnet connections coming from > outsiders ip addresses. I > > immediately called our Director(the only cisco certified > guy in the office) and > > he begin kicking each of the telnet connections one by one. > He then replaced > > every "secret/password" and deleted all unnecessary local > accounts. However, > > we're still wondering how those hackers got into the > system. Now this cisco's > > aaa is default to a radius server. Since then, outsiders > have gone away.. > > Perhaps the hackers got one of the router's local accounts, > and trying to brute > > force their way to enable mode. > > Did you keep careful logs of who was connecting from where so > someone could > start tracking things down? Have you contacted your local > police and FBI, or > whatever the local equivalent is? (Don't bother unless you > can claim more than > $2000 or so in damages, however.) The last I looked the limit was $5000 for the FBI to accept a complaint; however, due to manpower limitations, a more realistic limit is well over $100,000 (aggregate damage for one attacker, multiple victims) for them even to pay attention. Dealing with the FBI is better these days - they have some good people now. -gayn Bristol Systems Inc. 714/532-6776 www.bristolsystems.com