Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
15
Helpful
2
Replies

Hacked MXP - Edge95 making secure

Fabian Tscherner
Level 1
Level 1

‎01-11-2013 06:01 AM - edited ‎03-18-2019 12:25 AM

Hi all,

a customer runs a Edge 95 directly on a S-DSL Line - without any FW in front of it.

The MXP also has some BRI connections.

It seems that the system has been hacked and caused to dial out telephone numbers in south american area.

What he can do make the Edge 95 secure as possible (F6.4)?

admin and root password was 10 characters long and includes big and small characters and digits.

Is it correct, that admin and root password are the same on this device?

Is there any "access-log" on the Edge95 which we could check, when and from which account, which port, from which ip adress etc. the access happend?

Regards,

Fabian

Labels:
0 Helpful
2 Replies 2

Martin Koch
VIP Alumni
VIP Alumni

‎01-11-2013 06:49 AM

Hi Fabian!

There are some bugs like: CSCtq46488 or CSCtq46500 .

I do not want to exclude that there are other (remote) vulnurabilities in older

software versions as well. I think the 6.4 is like 3-4 years old.

Also snmp mitght be an entry point as well to remote control the system.

Do you know how it was exploitet? Does the system have multisite, so that they

did one IP call and bridged it with a ISDN call, or did they just call out to a expensive

number to generate traffic?

I am not aware that there is some kind of service or real root account present to access

the file system / core. So from what I remember the root account is like you said a mapped admin acount

(or vice versa).

It might be interesting to check the call history, but this only shows something unless it was rebooted.

I am not aware that there are any other logs, If you had it connected to TMS or some SNMP trap host

you might find some more details there.

The best would have been to debug it while the exploit was still running.

So what I would do:

* place a firewall upfront the system to block the management ports (snmp, ftp, telnet, ssh, http, https, ...)

* reset the ip password to something secure

* upgrade the endpoint to F9.3

* enable secure management (https / ssh) and disable ftp, telnet, http, snmp

* if sip is not needed, disable sip (many anoying scans which let the system ring happen on sip)

An other option is to connect it to a VCS-E, that allows the system to be behind a firewall

wich only needs oubound connections and their answers back in, but not inbound connections to the system itself.

Please remember to rate helpful responses and identify

Fabian Tscherner
Level 1
Level 1
In response to Martin Koch

‎01-17-2013 12:49 AM

Hi Martin,

thank you very much for your fast reply.

There are very usefull hints to make a VC device as secure as possible in such a easy scenario.

My contact can't say anything about how it was exploited. He also turned the system off after they recogniced the attack - so we also haven't a callhistory which could be interesting.

With your help I was able to give some good hints to make this system more secure.

Thanks again!

Best regards,

Fabian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents