RE: Cisco 3560 switch has a ghost in it...keeps trying to auth

The behavior looks like a brute-force attack vector over telnet to guess
usernames with no password. Anything on the radar for the source of this
stuff? If not - any "funny" guys with Metasploit, Backtrack-4 or Retina
having fun on your network?

Adel Abouchaev, CCIE# 12037, CISSP, MCSE

Technical Support Engineer
Netmasterclass LLC, Cisco Learning Partner
RFC821: adel_at_netmasterclass.net
E.164: +18886772669
HTTP: www.netmasterclass.net

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Brad
Ellis
Sent: Thursday, October 07, 2010 3:52 PM
To: Cisco certification
Subject: Cisco 3560 switch has a ghost in it...keeps trying to auth to an
ACS server

Crazy stuff...but I thought this would make an interesting problem for
people to think about.

Every 60 seconds or so:

Oct 7 22:53:21.317: AAA/MEMORY: free_user_quiet (0x27804D8) user=''
ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1 priv=1
Oct 7 22:53:21.317: AAA: parse name=tty0 idb type=-1 tty=-1
Oct 7 22:53:21.317: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0
adapter=0 port=0 channel=0
Oct 7 22:53:21.317: AAA/MEMORY: create_user (0x27804D8) user='NULL'
ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII
service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): port='tty0' list=''
action=LOGIN service=LOGIN
Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): using "default" list
Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): Method=tacacs+
(tacacs+)
Oct 7 22:53:21.317: TAC+: send AUTHEN/START packet ver=192
id=1037375110
Oct 7 22:53:21.569: TAC+: ver=192 id=1037375110 received AUTHEN status
= GETUSER
Oct 7 22:53:21.569: AAA/AUTHEN (1037375110): status = GETUSER
Oct 7 22:53:21.644: AAA/AUTHEN/CONT (1037375110): continue_login
(user='(undef)')
Oct 7 22:53:21.644: AAA/AUTHEN (1037375110): status = GETUSER
Oct 7 22:53:21.644: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+)
Oct 7 22:53:21.644: TAC+: send AUTHEN/CONT packet id=1037375110
Oct 7 22:53:21.846: TAC+: ver=192 id=1037375110 received AUTHEN status
= GETUSER
Oct 7 22:53:21.846: AAA/AUTHEN (1037375110): status = GETUSER
Oct 7 22:53:28.179: AAA/AUTHEN/CONT (1037375110): continue_login
(user='')
Oct 7 22:53:28.179: AAA/AUTHEN (1037375110): status = GETUSER
Oct 7 22:53:28.179: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+)
Oct 7 22:53:28.179: TAC+: send AUTHEN/CONT packet id=1037375110
Oct 7 22:53:28.380: TAC+: ver=192 id=1037375110 received AUTHEN status
= GETPASS
Oct 7 22:53:28.380: AAA/AUTHEN (1037375110): status = GETPASS
Oct 7 22:53:30.301: AAA/AUTHEN/CONT (1037375110): continue_login
(user='x~xxxx')
Oct 7 22:53:30.310: AAA/AUTHEN (1037375110): status = GETPASS
Oct 7 22:53:30.310: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+)
Oct 7 22:53:30.310: TAC+: send AUTHEN/CONT packet id=1037375110
Oct 7 22:53:30.813: TAC+: ver=192 id=1037375110 received AUTHEN status
= FAIL
Oct 7 22:53:30.813: AAA/AUTHEN (1037375110): status = FAIL
Oct 7 22:53:32.818: AAA/AUTHEN/ABORT: (1037375110) because Login timed
out.
Oct 7 22:53:32.818: TAC+: send abort reason=Login timed out

I havent figured this one out yet.

thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI# 30482
CEO / President
CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
Email: brad_at_ccbootcamp.com
Toll Free: 877-654-2243
International: +1-702-968-5100
Skype: skype:ccbootcamp?call
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 07 2010 - 18:37:15 ART