[c-nsp] many 2960-X rebooting today

Nick Cutting ncutting at edgetg.com
Fri Mar 16 15:27:41 EDT 2018


I'm reasonably certain it was exploited - the last MSG is related to the bug.

"Stack for process SMI IBC server process running low"


-----Original Message-----
From: Brandon Applegate [mailto:brandon at burn.net] 
Sent: Friday, March 16, 2018 2:28 PM
To: Nick Cutting <ncutting at edgetg.com>
Cc: cisco-nsp mailing list <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] many 2960-X rebooting today

This message originated from outside your organization.


> On Mar 16, 2018, at 2:08 PM, Nick Cutting <ncutting at edgetg.com> wrote:
> 
> Thanks we have disabled this now - It is in our new build script, these were rolled out a few months ago.
> 
> I guess there is no way of seeing if this exploit was executed, perhaps in the crashdump somewhere?

I’m struggling to remember.  I want to say you will see a %SYS-5-CONFIG - Configured from XXX by YYY message.

The questions become:

-	Are you syslogging out to a server that would have caught this ?
-	Is there any IP in there of where it was originated from ?
	- If so - other than an abuse report to the respective ISP and blocking the IP - what can be done ?

I guess the other thing I’d add - is if there’s any weak crypto (type 7, or even a weak type 5 etc.) passwords or keys in your config, you might want to change these.  In other words, assume they have a copy of your config and act accordingly.

PS: This is all assuming it was an exploit like this in the first place.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons.
Only now are such things possible."



More information about the cisco-nsp mailing list