A customer reported their connection was intermittent and I've checked the router logs and it seems that someone was trying to configure SSL VPN on the CE router. The hacker was trying to lab up and play around with the router via its console port. The router has AAA/TACACS configured and I suspect the hacker tried a password recovery or disabled AAA by temporarily removing the WAN interface. As a precaution, I've disabled the console port using the no exec line command and locked down the Telnet/VTY lines to our management servers.
*Jan 10 05:04:22.979: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Initialized // HACKER ACTIVATED SSL VPN ON THE ROUTER
*Jan 10 05:04:22.987: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Enabled
*Jan 10 05:04:24.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Jan 10 05:04:24.947: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Jan 10 05:04:24.947: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jan 10 05:04:24.947: %LINK-3-UPDOWN: Interface Serial0/3/0, changed state to down
*Jan 10 05:04:24.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface SSLVPN-VIF0, changed state to up
*Jan 10 05:04:26.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Jan 10 05:04:26.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Jan 10 05:04:26.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to down
*Jan 10 05:04:41 UTC: %LINK-5-CHANGED: Interface Serial0/3/0, changed state to administratively down
*Jan 10 05:04:41 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI2, changed state to up
*Jan 10 05:04:42 UTC: %SYS-5-CONFIG_I: Configured from memory by console
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:crypto map NiStTeSt1 10 ipsec-manual
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:match address 199
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:set peer 20.20.20.20
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:exit
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no access-list 199
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no crypto map NiStTeSt1
*Jan 10 05:04:43 UTC: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 22:00 by prod_rel_team
Router#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 22:00 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Router uptime is 1 hour, 55 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-advipservicesk9-mz.124-20.T.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FTX1218A123
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
12 Voice FXO interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Router#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM up up
FastEthernet0/0.1 172.27.103.193 YES NVRAM up up
FastEthernet0/0.3 172.27.103.129 YES NVRAM up up
FastEthernet0/0.800 unassigned YES unset up up
FastEthernet0/1 unassigned YES NVRAM up up
FastEthernet0/1.3 172.27.1.234 YES NVRAM up up
FastEthernet0/1.100 172.27.1.86 YES NVRAM up up
FastEthernet0/1.900 172.27.1.90 YES NVRAM up up
Serial0/3/0 unassigned YES NVRAM administratively down down
Serial0/3/0.106 61.8.7.6 YES NVRAM administratively down down
SSLVPN-VIF0 unassigned NO unset up up // A VIRTUAL INTERFACE WAS AUTOMATICALLY CREATED WHEN SSL VPN WAS ACTIVATED
BVI2 172.26.102.129 YES NVRAM up up
Router(config)#line console 0
Router(config-line)#no exec
*Jan 10 05:04:22.979: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Initialized // HACKER ACTIVATED SSL VPN ON THE ROUTER
*Jan 10 05:04:22.987: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Enabled
*Jan 10 05:04:24.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Jan 10 05:04:24.947: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Jan 10 05:04:24.947: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jan 10 05:04:24.947: %LINK-3-UPDOWN: Interface Serial0/3/0, changed state to down
*Jan 10 05:04:24.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface SSLVPN-VIF0, changed state to up
*Jan 10 05:04:26.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Jan 10 05:04:26.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Jan 10 05:04:26.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to down
*Jan 10 05:04:41 UTC: %LINK-5-CHANGED: Interface Serial0/3/0, changed state to administratively down
*Jan 10 05:04:41 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI2, changed state to up
*Jan 10 05:04:42 UTC: %SYS-5-CONFIG_I: Configured from memory by console
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:crypto map NiStTeSt1 10 ipsec-manual
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:match address 199
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:set peer 20.20.20.20
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:exit
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no access-list 199
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no crypto map NiStTeSt1
*Jan 10 05:04:43 UTC: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 22:00 by prod_rel_team
Router#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 22:00 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Router uptime is 1 hour, 55 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-advipservicesk9-mz.124-20.T.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FTX1218A123
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
12 Voice FXO interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Router#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM up up
FastEthernet0/0.1 172.27.103.193 YES NVRAM up up
FastEthernet0/0.3 172.27.103.129 YES NVRAM up up
FastEthernet0/0.800 unassigned YES unset up up
FastEthernet0/1 unassigned YES NVRAM up up
FastEthernet0/1.3 172.27.1.234 YES NVRAM up up
FastEthernet0/1.100 172.27.1.86 YES NVRAM up up
FastEthernet0/1.900 172.27.1.90 YES NVRAM up up
Serial0/3/0 unassigned YES NVRAM administratively down down
Serial0/3/0.106 61.8.7.6 YES NVRAM administratively down down
SSLVPN-VIF0 unassigned NO unset up up // A VIRTUAL INTERFACE WAS AUTOMATICALLY CREATED WHEN SSL VPN WAS ACTIVATED
BVI2 172.26.102.129 YES NVRAM up up
Router(config)#line console 0
Router(config-line)#no exec
No comments:
Post a Comment