[c-nsp] many 2960-X rebooting today
Brandon Applegate
brandon at burn.net
Fri Mar 16 14:27:40 EDT 2018
> On Mar 16, 2018, at 2:08 PM, Nick Cutting <ncutting at edgetg.com> wrote:
>
> Thanks we have disabled this now - It is in our new build script, these were rolled out a few months ago.
>
> I guess there is no way of seeing if this exploit was executed, perhaps in the crashdump somewhere?
I’m struggling to remember. I want to say you will see a %SYS-5-CONFIG - Configured from XXX by YYY message.
The questions become:
- Are you syslogging out to a server that would have caught this ?
- Is there any IP in there of where it was originated from ?
- If so - other than an abuse report to the respective ISP and blocking the IP - what can be done ?
I guess the other thing I’d add - is if there’s any weak crypto (type 7, or even a weak type 5 etc.) passwords or keys in your config, you might want to change these. In other words, assume they have a copy of your config and act accordingly.
PS: This is all assuming it was an exploit like this in the first place.
--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A
"For thousands of years men dreamed of pacts with demons.
Only now are such things possible."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20180316/f48199ad/attachment.sig>
More information about the cisco-nsp
mailing list