Incidents
0day linux 2.6 /dev/mem rootkit found Jul 11 2007 04:07PM
James E. Jones (ceriofag yahoo com) (1 replies)
Strange Cisco Router Logs Jul 20 2007 07:49PM
Radi Tzvetkov (radit logisticare com) (1 replies)
Hello list,

I had a power outage on one of my routers. After power came back the
router logged the messages below. I know there was nobody on the console
and there is no way some one from the team to do the change. Has anyone
seen something like it?

*Jul 15 14:47:26.587: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0 State
changed to: Initialized
*Jul 15 14:47:26.591: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0 State
changed to: Enabled sslinit fn

*Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0
State changed to: Initialized
*Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0
State changed to: Disabled
*Jul 15 14:47:31.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface
VoIP-Null0, changed state to up
*Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed
state to up
*Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed
state to up
*Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/0, changed state to up
*Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
*Jul 15 09:47:32: %SYS-6-CLOCKUPDATE: System clock has been updated from
14:47:32 UTC Sun Jul 15 2007 to 09:47:32 EST Sun Jul 15 2007, configured
from console by console.
*Jul 15 10:47:32: %SYS-6-CLOCKUPDATE: System clock has been updated from
09:47:32 EST Sun Jul 15 2007 to 10:47:32 EDT Sun Jul 15 2007, configured
from console by console.
*Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel100101, changed state to down
*Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0,
changed state to up
*Jul 15 10:47:37: %SYS-5-CONFIG_I: Configured from memory by console
*Jul 15 10:47:37: %FW-6-INIT: Firewall inspection startup completed;
beginning operation.
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged
command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged
command:crypto map NiStTeSt1 10 ipsec-manual
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged
command:match address 199

*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged
command:set peer 20.20.20.20

*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged
command:exit
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged
command:no access-list 199
*Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged
command:no crypto map NiStTeSt1
*Jul 15 10:47:38: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(13b), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 24-Apr-07 16:18 by prod_rel_team
*Jul 15 10:47:38: %SNMP-5-COLDSTART: SNMP agent on host ROUTER is
undergoing a cold start

----------------------------------------------------------
Radi Tzvetkoff
Network Engineer II
Provado Technologies
A Logisticare Company
503 Oak Place, Ste. 550
Atlanta, GA 30349
e-mail: radit (at) logisticare (dot) com [email concealed]
tel: 800-486-7642 ext 493
cell: 678-429-6880
----------------------------------------------------------

-----Original Message-----
From: James E. Jones [mailto:ceriofag (at) yahoo (dot) com [email concealed]]
Sent: Wednesday, July 11, 2007 12:07 PM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: 0day linux 2.6 /dev/mem rootkit found

I found one interesting tool on my server, with the
name 'Boxer 0.99 BETA3'. It's protected by ELFuck
linux executables obfuscator. Google doesn't know
anything about it.
Now, it is available at http://surfall.net/rel.tar.gz
(ELFuck password: 'notdead')
Anybody seen it before?

________________________________________________________________________

____________
Choose the right car based on your needs. Check out
Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/

________________________________________________________________________

____________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket:
mail, news, photos & more.
http://mobile.yahoo.com/go?refer=1GNXIC

------------------------------------------------------------------------

-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input
box
giving hackers complete access to all your backend systems! Firewalls
and IDS
will not stop such attacks because SQL Injections are NOT seen as
intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide
to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8

E
------------------------------------------------------------------------

--

------------------------------------------------------------------------
-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8
E
------------------------------------------------------------------------
--

[ reply ]
RE: Strange Cisco Router Logs Jul 22 2007 06:57PM
Dario Ciccarone (dciccaro) (dciccaro cisco com) (1 replies)
Phishing e-mail with hidden crap? Aug 17 2007 06:48AM
Nicolas villatte (Nicolas Villatte chello be)


 

Privacy Statement
Copyright 2010, SecurityFocus