Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Strange Cisco Router Logs

from [Radi Tzvetkov] Network Security [Permanent Link]
Subject: Strange Cisco Router Logs
Date: Fri, 20 Jul 2007 15:49:53 -0400 
Hello list,

I had a power outage on one of my routers. After power came back the
router logged the messages below. I know there was nobody on the console
and there is no way some one from the team to do the change. Has anyone
seen something like it? 
 


*Jul 15 14:47:26.587: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0  State
changed to: Initialized
*Jul 15 14:47:26.591: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0  State
changed to: Enabled sslinit fn

*Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0
State changed to: Initialized
*Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0
State changed to: Disabled
*Jul 15 14:47:31.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface
VoIP-Null0, changed state to up
*Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed
state to up
*Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed
state to up
*Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up
*Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
*Jul 15 09:47:32: %SYS-6-CLOCKUPDATE: System clock has been updated from
14:47:32 UTC Sun Jul 15 2007 to 09:47:32 EST Sun Jul 15 2007, configured
from console by console.
*Jul 15 10:47:32: %SYS-6-CLOCKUPDATE: System clock has been updated from
09:47:32 EST Sun Jul 15 2007 to 10:47:32 EDT Sun Jul 15 2007, configured
from console by console.
*Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel100101, changed state to down
*Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0,
changed state to up
*Jul 15 10:47:37: %SYS-5-CONFIG_I: Configured from memory by console
*Jul 15 10:47:37: %FW-6-INIT: Firewall inspection startup completed;
beginning operation.
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:crypto map NiStTeSt1 10 ipsec-manual
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:match address 199

*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:set peer 20.20.20.20

*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:exit
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:no access-list 199
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged
command:no crypto map NiStTeSt1
*Jul 15 10:47:38: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(13b), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 24-Apr-07 16:18 by prod_rel_team
*Jul 15 10:47:38: %SNMP-5-COLDSTART: SNMP agent on host ROUTER is
undergoing a cold start

----------------------------------------------------------
Radi Tzvetkoff
Network Engineer II
Provado Technologies
A Logisticare Company
503 Oak Place, Ste. 550
Atlanta, GA 30349
e-mail: radit@logisticare.com
tel: 800-486-7642 ext 493
cell: 678-429-6880
----------------------------------------------------------

-----Original Message-----
From: James E. Jones [mailto:ceriofag@yahoo.com] 
Sent: Wednesday, July 11, 2007 12:07 PM
To: incidents@securityfocus.com
Subject: 0day linux 2.6 /dev/mem rootkit found

I found one interesting tool on my server, with the
name 'Boxer 0.99 BETA3'. It's protected by ELFuck
linux executables obfuscator. Google doesn't know
anything about it.
Now, it is available at http://surfall.net/rel.tar.gz
(ELFuck password: 'notdead')
Anybody seen it before?


       
________________________________________________________________________
____________
Choose the right car based on your needs.  Check out
Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/


       
________________________________________________________________________
____________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket:
mail, news, photos & more. 
http://mobile.yahoo.com/go?refer=1GNXIC

------------------------------------------------------------------------
-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper 
It's as simple as placing additional SQL commands into a Web Form input
box 
giving hackers complete access to all your backend systems! Firewalls
and IDS 
will not stop such attacks because SQL Injections are NOT seen as
intruders. 
Download this *FREE* white paper from SPI Dynamics for a complete guide
to protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8
E
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper 
It's as simple as placing additional SQL commands into a Web Form input box 
giving hackers complete access to all your backend systems! Firewalls and IDS 
will not stop such attacks because SQL Injections are NOT seen as intruders. 
Download this *FREE* white paper from SPI Dynamics for a complete guide to 
protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  CFP now open for ClubHack, India's own hackers' convention, RS
Next by Date:  RE: Strange Cisco Router Logs, Dario Ciccarone (dciccaro)
Previous by Thread:  0day linux 2.6 /dev/mem rootkit found, James E. Jones
Next by Thread:  RE: Strange Cisco Router Logs, Dario Ciccarone (dciccaro)
Indexes:  [Date] [Thread] [Top] [All Lists]