need some advice on our cisco routers..

Chuck Swiger cswiger at mac.com
Thu Feb 9 04:40:45 PST 2006


Mark Jayson Alvarez wrote:
>> We have a couple of cisco routers. There was one time when suddenly we cannot 
> login remotely via telnet. I investigate further and was shocked when I found
> out that there where 16 telnet connections coming from outsiders ip addresses. I
> immediately called our Director(the only cisco certified guy in the office) and
> he begin kicking each of the telnet connections one by one. He then replaced
> every "secret/password" and deleted all unnecessary local accounts. However,
> we're still wondering how those hackers got into the system. Now this cisco's
> aaa is default to a radius server. Since then, outsiders have gone away..
> Perhaps the hackers got one of the router's local accounts, and trying to brute
> force their way to enable mode.

Did you keep careful logs of who was connecting from where so someone could
start tracking things down?  Have you contacted your local police and FBI, or
whatever the local equivalent is?  (Don't bother unless you can claim more than
$2000 or so in damages, however.)

Most importantly, have you contacted Cisco?  Asking for security advice about
their routers here is not the right place to gain such information.  cisco.com's
got a large, informative site....

-- 
-Chuck


More information about the freebsd-questions mailing list