[nsp] telnet exploit on 3550 ?

Jim Devane jim at powerpulse.cc
Mon Dec 1 15:51:03 EST 2003 

All,

 

I am very bummed out and need some help. Over the weekend it appears someone
killed my telnetd on a 3550-48 EMI switch. The easy answer is to simply
reboot the switch, and though it sucks I will probably have to do that. I
know, I know, I will be generating RSA keys and using SSH from now on. =) 

 

However, is there a knows exploit against telnet that is known? Below are
the RSH attempts and the TACACS log of what happened and the "sh use" I
cannot clear this line in my switch

 

Anybody seen this before or have any suggestions on who to remove a stubborn
user, or know about a possible exploit?

 

Thanks,

Jim

 

 

Cisco Internetwork Operating System Software 

IOS (tm) C3550 Software (C3550-I5K2L2Q3-M), Version 12.1(13)EA1c, RELEASE
SOFTWARE (fc1)

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Tue 24-Jun-03 19:30 by yenanh

Image text-base: 0x00003000, data-base: 0x008BA984

 

ROM: Bootstrap program is C3550 boot loader

 

pwps-esw01 uptime is 17 weeks, 2 days, 12 hours, 19 minutes

System returned to ROM by power-on

System restarted at 00:21:37 PST Sat Aug 2 2003

System image file is "flash:/c3550-i5k2l2q3-mz.121-13.EA1c.bin"

 

 

My 3550-48 showing the attempts:

 

11/30/2003 7:34:57 AM "66.209.64.2" 774: Nov 30 07:41:21.227:
%RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from 66.14.166.73

11/30/2003 7:34:57 AM "66.209.64.2" 775: Nov 30 07:41:21.387:
%RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from 66.14.166.73

11/30/2003 8:04:38 AM "66.209.64.1" 1104: Nov 30 08:11:02.050:
%RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from 66.14.166.73

 

My TACACS server showing the logins:

11/30/2003 08:11:10 Authen failed           GET / HTTP/1.0 .. 66.14.166.73
CS user unknown .. .. tty1 66.209.64.1 

11/30/2003 08:10:33 Authen failed                              ..
66.14.166.73         Unknown .. .. tty1 66.209.64.1

 

 

My switch showing the user:

 Line       User       Host(s)              Idle       Location

*  0 con 0     brianb     idle                 00:00:00   

   7 vty 6                idle                 05:01:1

bdsl.66.14.166.73.gte.net

More information about the cisco-nsp mailing list