Re: Cisco 3560 switch has a ghost in it...keeps trying to auth from Bilal Hansrod on 2010-10-07 (Ccielab archives 10/2010)

From: Bilal Hansrod <bilal.hansrod_at_gmail.com>
Date: Fri, 8 Oct 2010 13:54:15 +1100

What about running show processes and look for unusual process

Thanks & Regards,
Bilal Hansrod

Sent from my iPhone

On 08/10/2010, at 12:37 PM, "Adel Abouchaev" <adel_at_netmasterclass.net>
wrote:

> The behavior looks like a brute-force attack vector over telnet to
> guess
> usernames with no password. Anything on the radar for the source of
> this
> stuff? If not - any "funny" guys with Metasploit, Backtrack-4 or
> Retina
> having fun on your network?
>
> Adel Abouchaev, CCIE# 12037, CISSP, MCSE
>
> Technical Support Engineer
> Netmasterclass LLC, Cisco Learning Partner
> RFC821: adel_at_netmasterclass.net
> E.164: +18886772669
> HTTP: www.netmasterclass.net
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of Brad
> Ellis
> Sent: Thursday, October 07, 2010 3:52 PM
> To: Cisco certification
> Subject: Cisco 3560 switch has a ghost in it...keeps trying to auth
> to an
> ACS server
>
> Crazy stuff...but I thought this would make an interesting problem for
> people to think about.
>
> Every 60 seconds or so:
>
> Oct 7 22:53:21.317: AAA/MEMORY: free_user_quiet (0x27804D8) user=''
> ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1
> priv=1
> Oct 7 22:53:21.317: AAA: parse name=tty0 idb type=-1 tty=-1
> Oct 7 22:53:21.317: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0
> adapter=0 port=0 channel=0
> Oct 7 22:53:21.317: AAA/MEMORY: create_user (0x27804D8) user='NULL'
> ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII
> service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
> Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): port='tty0'
> list=''
> action=LOGIN service=LOGIN
> Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): using "default"
> list
> Oct 7 22:53:21.317: AAA/AUTHEN/START (1037375110): Method=tacacs+
> (tacacs+)
> Oct 7 22:53:21.317: TAC+: send AUTHEN/START packet ver=192
> id=1037375110
> Oct 7 22:53:21.569: TAC+: ver=192 id=1037375110 received AUTHEN
> status
> = GETUSER
> Oct 7 22:53:21.569: AAA/AUTHEN (1037375110): status = GETUSER
> Oct 7 22:53:21.644: AAA/AUTHEN/CONT (1037375110): continue_login
> (user='(undef)')
> Oct 7 22:53:21.644: AAA/AUTHEN (1037375110): status = GETUSER
> Oct 7 22:53:21.644: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+)
> Oct 7 22:53:21.644: TAC+: send AUTHEN/CONT packet id=1037375110
> Oct 7 22:53:21.846: TAC+: ver=192 id=1037375110 received AUTHEN
> status
> = GETUSER
> Oct 7 22:53:21.846: AAA/AUTHEN (1037375110): status = GETUSER
> Oct 7 22:53:28.179: AAA/AUTHEN/CONT (1037375110): continue_login
> (user='')
> Oct 7 22:53:28.179: AAA/AUTHEN (1037375110): status = GETUSER
> Oct 7 22:53:28.179: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+)
> Oct 7 22:53:28.179: TAC+: send AUTHEN/CONT packet id=1037375110
> Oct 7 22:53:28.380: TAC+: ver=192 id=1037375110 received AUTHEN
> status
> = GETPASS
> Oct 7 22:53:28.380: AAA/AUTHEN (1037375110): status = GETPASS
> Oct 7 22:53:30.301: AAA/AUTHEN/CONT (1037375110): continue_login
> (user='x~xxxx')
> Oct 7 22:53:30.310: AAA/AUTHEN (1037375110): status = GETPASS
> Oct 7 22:53:30.310: AAA/AUTHEN (1037375110): Method=tacacs+ (tacacs+)
> Oct 7 22:53:30.310: TAC+: send AUTHEN/CONT packet id=1037375110
> Oct 7 22:53:30.813: TAC+: ver=192 id=1037375110 received AUTHEN
> status
> = FAIL
> Oct 7 22:53:30.813: AAA/AUTHEN (1037375110): status = FAIL
> Oct 7 22:53:32.818: AAA/AUTHEN/ABORT: (1037375110) because Login
> timed
> out.
> Oct 7 22:53:32.818: TAC+: send abort reason=Login timed out
>
> I havent figured this one out yet.
>
> thanks,
> Brad Ellis
> CCIE#5796 (R&S / Security)
> CCSI# 30482
> CEO / President
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Email: brad_at_ccbootcamp.com
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________

> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________

> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Oct 08 2010 - 13:54:15 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:05 ART