[Dshield] Router Rebootarama

Jenkins, Matthew mjenkins7 at fairmontstate.edu
Tue Apr 25 13:55:21 GMT 2006


Check for a crash dump on the router.  If you have a support contract,
Cisco may be able to analyze it for you.  I presume you are logging to
syslog.  Was there anything upon reboot in the logs indicating a crash?
We had a Cisco IOS blade center switch (somewhat like a Catalyst 2950)
crash due to an SNMP flaw.  Each time it would crash, it would log
information pertaining to the crash to the syslog server.  I have the
severity configured for informational.  I would think, however, that
crash information would have been reported up near error.

A question for others:  When Cisco devices are DOS due to IOS flaws, and
the device reboots, should you always see a crash dump?  Or are there
cases the device could crash and not generate a dump?

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Yahoo: mljenkins
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Jon R. Kibler
Sent: Tuesday, April 25, 2006 7:10 AM
To: 'General DShield Discussion List'
Subject: [Dshield] Router Rebootarama

Hello All,

Last week we had an incident when I was on the road where one of our
(ancient) routers started rebooting at random. At first, I thought
it was the router simply starting to die. Now, I am beginning to
think otherwise. The router rebooted 14 times in a 7 hour period of
time. At first, the reboots were occurring rather rapidly, then slowed
to the point the last reboot was several hours after the previous
reboot. It has now been over a week and no more reboots. I should add
that we have full logging enabled, and the logs never showed any clue
why the router may have been rebooting.

Thus, I am beginning to suspect that the router was somehow attacked.
It is running IOS Version 12.1(5)YB3. All external interface ports on
the router are closed and access attempts to them are logged. The
internal interface on the router can be accessed from only a single
very restricted LAN IP and all access, successful or not, is also
logged.

Any idea what type of attack could cause such behavior?

TIA!
Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214
_________________________________________

SANSFIRE 2006 - Meet ISC Handlers in Person -
Learn about the latest in Information Security from the best instructors
in the world.

http://www.sans.org/sansfire006

Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every
Wednesday after patch-tuesday.
_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list