[c-nsp] Change Pix passwds, without getting logged?

Terje Bless link at pobox.com
Fri Mar 24 06:00:59 EST 2006


Hi,

We recently had one of our Pix firewalls get compromised, probably through an
unsecured serial console access, and have their passwords changed. Nothing
really out of the ordinary except the Pix is set to log to an external syslog
server and the password change commands are nowhere to be found in the logs.

The Pix is an 525E redundant, Active/Passive, single-context, Routed Mode setup
running PixOS 7.0.4 (UR/FO) with standby logging disabled.

Any of you have any idea how they could have managed to change the passwords
without this change being logged to the external syslog server?


There was an unexpected failover event reflected in the logs at about the right
time so we're speculating that the passwords were changed on the standby Pix and
a failover was either forced or randomly happened at some later point and that
this is why the change was not logged.

However, configuring the pix cluster from the standby unit should have broken
the cluster, and if the standby was made active beforehand the change should
have been logged.

I can envision conceptually how this might have been achieved, but I can't
really see how it would be done in practice.


Any suggestions would be most appreciated!



-- 
“Hath no man's dagger here a point for me?”   - Leonato, Governor of Messina.
                   See Project Gutenberg <URL:http://promo.net/pg/> for more.


More information about the cisco-nsp mailing list