Hi Guyz..I am getting the

rodolfo.davila · ‎06-19-2013

Hi,

My VCS Expressway is constanly reporting the following error:

httpd[28261]: [auth_basic:error] [pid 28261] [client xxxxxxxx] AH01617: user admin: authentication failure for "/getxml": Password Mismatch, referer:
	httpd[28261]: [authnz_external:error] [pid 28261] [client xxxxxxxx] AuthExtern taa_chkpasswd_ro [/bin/taa-chkpasswd --realm apiadmin --no-session --check-role all=ro]: Failed (1) for user admin, referer:
	httpd[28260]: [auth_basic:error] [pid 28260] [client xxxxxxxx] AH01614: client used wrong authentication scheme: /getxml, referer:

I was trying to resolve the problem but I have not resolved it.

Can you suggest me how to solve it?

Paul Woelfel · ‎06-19-2013

Place your Expressway behind a firewall or implement firewall rules blocking the admin services from the internet. This feature is available starting from X7.2.

Regards, Paul

Martin Koch · ‎06-20-2013

Though what Paul said is not wrong it might not neccessarily be the main cause here.

At least it does not look like a dummy scan from the internet as it accesses an API

uri with the right username. So either it a very sophisticated hack attack or what I

would more guess you have some management software (lie TMS) running.

It can happen that the admin passowrd was changed on the VCS but not on the TMS.

What does the "xxxxxxxx" say in real, does it ring a bell what server that is?

If its tms, go to the system navigator, find the vcs-e check under connection that the

password is ok.

Please remember to rate helpful responses and identify

rodolfo.davila · ‎06-20-2013

Hi Martin,

The VCS Expressway is in a DMZ using static NAT. The xxxxx is the IP of the firewall. The TMS was monitoring the Expressway but I purge it in the TMS, and the problem still.

Best regards,

ahmashar · ‎06-22-2013

Hi Rodolfo,

please connect to VCSE via serial cable and reboot the device and post the message you see on the monitor during the reboot.

Also what version of VCS software are you running?

regards,

Ahmad

azeem.haider · ‎08-23-2015

Hi Guyz..

I am getting the same Event Logs on VCSC. I have TMS as well. We are using Jabber Movi and Jabber Video calls are not connecting. Whenever i called someone.That guy gets a missed call from me and this log is generated on VCSC

Can you please help me..How to solve it.

httpd[6231]: [auth_basic:error] [pid 6231] [client 172.27.68.145:60573] AH01617: user admin: authentication failure for "/getxml": Password Mismatch

httpd[6231]: [authnz_external:error] [pid 6231] [client 172.27.68.145:60573] AuthExtern taa_chkpasswd_ro [/bin/taa-chkpasswd --realm apiadmin --no-session --check-role all=ro]: Failed (1) for user admin

David Hasfurter · ‎09-24-2014

@Martin

This seems to be a sophisticated hack. My box was compromised by a Chinese IP. The FW was picking up a lot of traffic from my VCSE in the DMZ to the mail server which I have no connections setup. I tried factory reseting my box but I dont see a true factory reset. Only a reset level 3. After the box came back up I created a new administrator account and disabled the admin account and started seeing the error that was in the original post.

Is there anyway to do a true factory reset?

This was in the event log that made me think it was compromised.

2014-09-17T12:12:44-04:00 sshd[1291]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 61.152.108.18: 11: Bye Bye" UTCTime="2014-09-17 16:12:44"

2014-09-17T12:12:44-04:00 sshd[1291]: Event="sshd" Module="openssh" Level="INFO" Detail="input_userauth_request: invalid user pi" UTCTime="2014-09-17 16:12:44"

2014-09-17T12:12:44-04:00 sshd[1286]: Event="sshd" Module="openssh" Level="INFO" Detail="Invalid user pi from 61.152.108.18" UTCTime="2014-09-17 16:12:44"

2014-09-17T12:12:42-04:00 sshd[1286]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 61.152.108.18 port 54090" UTCTime="2014-09-17 16:12:42"

2014-09-17T12:12:42-04:00 sshd[1286]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2014-09-17 16:12:42"

2014-09-17T12:12:42-04:00 sshd[1275]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 61.152.108.18: 11: Bye Bye" UTCTime="2014-09-17 16:12:42"

2014-09-17T12:12:33-04:00 sshd[1274]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 61.152.108.18 port 53089" UTCTime="2014-09-17 16:12:33"

2014-09-17T12:12:33-04:00 sshd[1274]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2014-09-17 16:12:33"

2014-09-17T12:12:33-04:00 sshd[1271]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 61.152.108.18: 11: Bye Bye" UTCTime="2014-09-17 16:12:33"

2014-09-17T12:12:30-04:00 sshd[1267]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 61.152.108.18 port 52711" UTCTime="2014-09-17 16:12:30"

2014-09-17T12:12:30-04:00 sshd[1267]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2014-09-17 16:12:30"

2014-09-17T12:12:29-04:00 sshd[1266]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 61.152.108.18: 11: Bye Bye" UTCTime="2014-09-17 16:12:29"

2014-09-17T12:12:29-04:00 sshd[1266]: Event="sshd" Module="openssh" Level="INFO" Detail="input_userauth_request: invalid user pi" UTCTime="2014-09-17 16:12:29"

2014-09-17T12:12:29-04:00 sshd[1265]: Event="sshd" Module="openssh" Level="INFO" Detail="Invalid user pi from 61.152.108.18" UTCTime="2014-09-17 16:12:29"

Need to get smartnet since I cant upgrade past 7.x

Any help would be great.

Jens Didriksen · ‎09-24-2014

Try login as root via serial cable and execute /sbin/factory-reset

If that doesn't work, suggest opening a case with TAC, assuming you have a valid service contract in place.

We only allow SSH to the VCS-E from the inside by the way, used to see a lot of break-in attempts prior to doing that.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

VCS Expressway strange issue