cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1094
Views
0
Helpful
2
Replies

Verify IOS MD5 Hash, Possible Compromised Switch

I have a Cisco C2960 in production which was compromised. The switch has been pulled and I'm trying to determine if the IOS image was tampered with.

 

Since the switch is End-of-Life / End-of-Support, I'm unable to get from Cisco what the hash is to validate the authenticity of the image. I'm throwing a Hail Mary and hoping someone has the MD5 hash for the following image to verify against what I have.

 

Version 12.2(53)SE2

c2960-lanbasek9-mz.122-53.SE2.bin

 

Any help is highly appreciated, or if someone can direct me to where I may be able to find this info I will be forever indebted. 

 

Thanks,

Andres

2 Replies 2

marce1000
Hall of Fame
Hall of Fame

 

 - Perhaps you could just install this gold-starred release :

            https://software.cisco.com/download/home/281231709/type/280805680/release/12.2.55-SE12

 where you can still verify the md5sum from (as it is available for download).

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Leo Laohoo
Hall of Fame
Hall of Fame

Do you have a Cisco SE/AM?  If you do, reach out to them.  Cisco PSIRT has published some references and procedures on what-to-do and what-to-collect if operators suspect a Cisco appliance has been compromised.  (I am unable to find that document.)

Another thing, describe the "compromise".  

My first guess is Smart Install (aka "vstack") was left enabled.