Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1661
Views
5
Helpful
6
Replies

Trafic into vty line between LIIN0 and an unknow foreign address

Go to solution
Francisco87
Level 1
Level 1

‎12-01-2017 01:58 AM - edited ‎03-08-2019 12:57 PM

Hi guys,

I have on my C3850 something weird ...

All my line vty are use by an unknow machine (screenshot below)

I tried some command like "clear line vty" or "clear tcp bcp ###" etc, but this machine (192.168.1.2) still open telnet connection between LIIN0 (192.168.1.1) and Foreign address (192.168.1.2) on my vty line ...

 

There is somebody here have already seen this before and what can i do ??

 

Thanks  in advance, (sorry for my langage and syntax for my first post here ^^)

line.pngline2.pngline3.pngline4.pngline5.png

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
Jeroen Huysmans
Level 1
Level 1

‎12-01-2017 02:53 AM

are you running some special stuff on this device?

LIIN = Linux-IOS Internal Network

 

Jeroen

0 Helpful

Go to solution
Jeroen Huysmans
Level 1
Level 1
In response to Jeroen Huysmans

‎12-01-2017 03:16 AM

that being said, there seems to be a bug which has many similarities:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuj90227

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20131224-CVE-2013-6979

 

are you running the listed software releases?

0 Helpful

Go to solution
Francisco87
Level 1
Level 1
In response to Jeroen Huysmans

‎12-01-2017 03:26 AM

Hi Jeroen,

 

Thanks for your answer.

 

My stack running this version : 03.02.03SE..

Does it mean that there is an attack on my LAN ?

How can i fixe it ?

 

Thanks a lot

 

 

 

 

0 Helpful

Go to solution
Jeroen Huysmans
Level 1
Level 1
In response to Francisco87

‎12-01-2017 04:17 AM

You run a version that matches the affected versions on a 3850. This makes you vulnerable to this bug.

I cannot confirm if you're compromised or not as I have no further knowledge of your network.

 

Please read the bug report and try to verify if it's worth to perform an upgrade or not. They also provide a workaround.

 

Jeroen

 

 

Go to solution
Francisco87
Level 1
Level 1
In response to Jeroen Huysmans

‎12-05-2017 07:56 AM - edited ‎12-05-2017 08:00 AM

Do you have any tips to find the @mac of this ip machine (192.168.1.2) with some cisco command or somethings else?
NB : I fixed it with acces-list on the vty line, but i'm insightful and wd'like to know what happened ;)
Thanks Jeroen

0 Helpful

Go to solution
Jeroen Huysmans
Level 1
Level 1
In response to Francisco87

‎12-08-2017 12:38 AM

Hi,

 

no idea... I don't think the embedded Linux is accessible. That would probably by the place to check the arp-cache for that specific IP and retrieve the mac.

 

Jeroen

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card