Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
0
Helpful
2
Replies

Intrusion event involving set peer command

ashley1234
Level 1
Level 1

‎06-27-2011 05:20 AM

My router is Cisco 871, IOS 12.4. I have been subject to hacking recently via the console.

He executed the following commands: User:console  logged command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20.20

                                                        User:console  logged command:crypto map NiStTeSt1 10 ipsec-manual

                                                        User:console  logged command:set peer 20.20.20.20

                                                                   exit   - then Loopback0, changed state to up

                                                        User:console  logged command:no access-list 199

                                                        User:console  logged command:no crypto map NiStTeSt1

The system restarted at that point. Some days after this I received the following suspect traffic on my logs, repeatedly (ongoing):

list permitted udp 10.240.96.1(67) > 255.255.255.255(68) 1 packet (or 12 or more, at intervals of between 2 and 10 minutes)

Since then there has been one more intrusion event, exactly the same commands, although I had changed the password on the console.

How do I sweep the router clean of any commands he left there, and, more importantly, how do I stop this guy from breaking in again?

The attacker would appear to be IP address 58,218.199.250, I have had portscans from this address frequently until recently when that ceased and was replaced with the 10.240.96.1(67) > 255.255.255.255

Any assistance would be gratefully appreciated. I have put a similar request in Security, other questions.

Labels:
0 Helpful
2 Replies 2

ashley1234
Level 1
Level 1

‎06-27-2011 05:22 AM

I meant 20.20.20.20, not five twenties. My other post was in 'Other Security subjects', and also I omitted to add the command: match address 199, to the list of commands he set.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to ashley1234

‎07-08-2011 03:58 PM

Hi,

Why not just block that IP address from entering your network? ACLs on your firewalls can help. Also, you can look at some stronger authentication methods for the console than the one you are using at the moment.

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents