Network Security: Detailed info on RE: Strange Cisco Router Logs

Subject:	RE: Strange Cisco Router Logs
Date:	Sun, 22 Jul 2007 14:57:09 -0400

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Radi:

        Hi there. This is Dario Ciccarone from the Cisco PSIRT -
Product Security Incident Response Team.

        Those messages are part of the autotest being performed on the
crypto accelerator during bootup. While they might look
worrisome to you, the fact that are being printed/logges is
purely cosmetical and doesn't affect in any way normal device
operation.

        If you still have additional questions, feel free to open a TAC
case. Information on how to contact TAC can be found at 

        http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

        Thanks,
        Dario

Dario Ciccarone <dciccaro@cisco.com>
Incident Manager - CCIE #10395 
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

-----Original Message-----
From: Radi Tzvetkov [mailto:radit@logisticare.com] 
Sent: Friday, July 20, 2007 3:50 PM
To: incidents@securityfocus.com
Subject: Strange Cisco Router Logs

Hello list,

I had a power outage on one of my routers. After power came
back the router logged the messages below. I know there was
nobody on  the console
and there is no way some one from the team to do the change. 
Has anyone
seen something like it? 

*Jul 15 14:47:26.587: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0
 State changed to: Initialized
*Jul 15 14:47:26.591: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0
 State changed to: Enabled sslinit fn

*Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine:
onboard 0 State changed to: Initialized
*Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine:
onboard 0 State changed to: Disabled
*Jul 15 14:47:31.031: %LINEPROTO-5-UPDOWN: Line protocol on
Interface VoIP-Null0, changed state to up
*Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface 
FastEthernet0/0, changed
state to up
*Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface 
FastEthernet0/1, changed
state to up
*Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/0, changed state to up
*Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to up
*Jul 15 09:47:32: %SYS-6-CLOCKUPDATE: System clock has been 
updated from
14:47:32 UTC Sun Jul 15 2007 to 09:47:32 EST Sun Jul 15 2007, 
configured
from console by console.
*Jul 15 10:47:32: %SYS-6-CLOCKUPDATE: System clock has been 
updated from
09:47:32 EST Sun Jul 15 2007 to 10:47:32 EDT Sun Jul 15 2007, 
configured
from console by console.
*Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Tunnel100101, changed state to down
*Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on 
Interface NVI0,
changed state to up
*Jul 15 10:47:37: %SYS-5-CONFIG_I: Configured from memory by
console *Jul 15 10:47:37: %FW-6-INIT: Firewall inspection
startup completed; beginning operation.
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console 
logged command:access-list 199 permit icmp host 10.10.10.10
host 20.20.20.20 *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD:
User:console  logged command:crypto map NiStTeSt1 10
ipsec-manual
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console 
logged command:match address 199

*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console 
logged command:set peer 20.20.20.20

*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console 
logged command:exit
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console 
logged command:no access-list 199
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console 
logged command:no crypto map NiStTeSt1
*Jul 15 10:47:38: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M),
Version 12.4(13b), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 24-Apr-07 16:18 by prod_rel_team
*Jul 15 10:47:38: %SNMP-5-COLDSTART: SNMP agent on host ROUTER
is undergoing a cold start

----------------------------------------------------------
Radi Tzvetkoff
Network Engineer II
Provado Technologies
A Logisticare Company
503 Oak Place, Ste. 550
Atlanta, GA 30349
e-mail: radit@logisticare.com
tel: 800-486-7642 ext 493
cell: 678-429-6880
----------------------------------------------------------

-----Original Message-----
From: James E. Jones [mailto:ceriofag@yahoo.com] 
Sent: Wednesday, July 11, 2007 12:07 PM
To: incidents@securityfocus.com
Subject: 0day linux 2.6 /dev/mem rootkit found

I found one interesting tool on my server, with the
name 'Boxer 0.99 BETA3'. It's protected by ELFuck
linux executables obfuscator. Google doesn't know
anything about it.
Now, it is available at http://surfall.net/rel.tar.gz
(ELFuck password: 'notdead')
Anybody seen it before?

______________________________________________________________
__________
____________
Choose the right car based on your needs.  Check out
Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/

______________________________________________________________
__________
____________
Take the Internet to Go: Yahoo!Go puts the Internet in your
pocket: mail, news, photos & more. 
http://mobile.yahoo.com/go?refer=1GNXIC

--------------------------------------------------------------
----------
-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White
Paper  It's as simple as placing additional SQL commands into
a Web  Form input
box 
giving hackers complete access to all your backend systems!
Firewalls and IDS 
will not stop such attacks because SQL Injections are NOT seen
as intruders. 
Download this *FREE* white paper from SPI Dynamics for a 
complete guide
to protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=7016

0000000Cn8

E
--------------------------------------------------------------
----------
--


--------------------------------------------------------------
-----------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White
Paper  It's as simple as placing additional SQL commands into
a Web  Form input box 
giving hackers complete access to all your backend systems! 
Firewalls and IDS 
will not stop such attacks because SQL Injections are NOT 
seen as intruders. 
Download this *FREE* white paper from SPI Dynamics for a 
complete guide to protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=7016

0000000Cn8E

--------------------------------------------------------------
------------


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRqOohIyVGB+6GuDwEQI2VwCfSKO5DhvRxBdltxNxhHZ349ShnbEAoNbH
Ykz2owEsdHpR/g/P9O077P2K
=eLMD
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper 
It's as simple as placing additional SQL commands into a Web Form input box 
giving hackers complete access to all your backend systems! Firewalls and IDS 
will not stop such attacks because SQL Injections are NOT seen as intruders. 
Download this *FREE* white paper from SPI Dynamics for a complete guide to 
protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
0day linux 2.6 /dev/mem rootkit found, James E. Jones Strange Cisco Router Logs, Radi Tzvetkov RE: Strange Cisco Router Logs, Dario Ciccarone (dciccaro) <= Re: 0day linux 2.6 /dev/mem rootkit found, lists

Previous by Date:	Strange Cisco Router Logs, Radi Tzvetkov
Next by Date:	Re: 0day linux 2.6 /dev/mem rootkit found, lists
Previous by Thread:	Strange Cisco Router Logs, Radi Tzvetkov
Next by Thread:	Re: 0day linux 2.6 /dev/mem rootkit found, lists
Indexes:	[Date] [Thread] [Top] [All Lists]