[c-nsp] Change Pix passwds, without getting logged?

Church, Chuck cchurch at netcogov.com
Fri Mar 24 10:08:59 EST 2006


Well, if someone had physical access to the Pix, they probably power
cycled it, and did a password recovery.  A Pix with no power can't send
any syslog messages :)  The standby came up and took over while the
primary was in rommon and being recovered. 


Chuck Church
Network Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services
Enterprise Network Engineering
Home Office - 864-335-9473 
Cell - 864-266-3978
cchurch at netcogov.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Terje Bless
Sent: Friday, March 24, 2006 6:01 AM
To: Cisco NSP
Subject: [c-nsp] Change Pix passwds, without getting logged?

Hi,

We recently had one of our Pix firewalls get compromised, probably
through an
unsecured serial console access, and have their passwords changed.
Nothing
really out of the ordinary except the Pix is set to log to an external
syslog
server and the password change commands are nowhere to be found in the
logs.

The Pix is an 525E redundant, Active/Passive, single-context, Routed
Mode setup
running PixOS 7.0.4 (UR/FO) with standby logging disabled.

Any of you have any idea how they could have managed to change the
passwords
without this change being logged to the external syslog server?


There was an unexpected failover event reflected in the logs at about
the right
time so we're speculating that the passwords were changed on the standby
Pix and
a failover was either forced or randomly happened at some later point
and that
this is why the change was not logged.

However, configuring the pix cluster from the standby unit should have
broken
the cluster, and if the standby was made active beforehand the change
should
have been logged.

I can envision conceptually how this might have been achieved, but I
can't
really see how it would be done in practice.


Any suggestions would be most appreciated!



-- 
"Hath no man's dagger here a point for me?"   - Leonato, Governor of
Messina.
                   See Project Gutenberg <URL:http://promo.net/pg/> for
more.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list