Incidents
0day linux 2.6 /dev/mem rootkit found Jul 11 2007 04:07PM
James E. Jones (ceriofag yahoo com) (1 replies)
Strange Cisco Router Logs Jul 20 2007 07:49PM
Radi Tzvetkov (radit logisticare com) (1 replies)
RE: Strange Cisco Router Logs Jul 22 2007 06:57PM
Dario Ciccarone (dciccaro) (dciccaro cisco com) (1 replies)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Radi:

Hi there. This is Dario Ciccarone from the Cisco PSIRT -
Product Security Incident Response Team.

Those messages are part of the autotest being performed on the
crypto accelerator during bootup. While they might look
worrisome to you, the fact that are being printed/logges is
purely cosmetical and doesn't affect in any way normal device
operation.

If you still have additional questions, feel free to open a TAC
case. Information on how to contact TAC can be found at

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Thanks,
Dario

Dario Ciccarone <dciccaro (at) cisco (dot) com [email concealed]>
Incident Manager - CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

> -----Original Message-----
> From: Radi Tzvetkov [mailto:radit (at) logisticare (dot) com [email concealed]]
> Sent: Friday, July 20, 2007 3:50 PM
> To: incidents (at) securityfocus (dot) com [email concealed]
> Subject: Strange Cisco Router Logs
>
> Hello list,
>
> I had a power outage on one of my routers. After power came
> back the router logged the messages below. I know there was
> nobody on the console
> and there is no way some one from the team to do the change.
> Has anyone
> seen something like it?
>
>
>
> *Jul 15 14:47:26.587: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0
> State changed to: Initialized
> *Jul 15 14:47:26.591: %VPN_HW-6-INFO_LOC: Crypto engine: aim 0
> State changed to: Enabled sslinit fn
>
> *Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine:
> onboard 0 State changed to: Initialized
> *Jul 15 14:47:29.779: %VPN_HW-6-INFO_LOC: Crypto engine:
> onboard 0 State changed to: Disabled
> *Jul 15 14:47:31.031: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface VoIP-Null0, changed state to up
> *Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface
> FastEthernet0/0, changed
> state to up
> *Jul 15 14:47:31.031: %LINK-3-UPDOWN: Interface
> FastEthernet0/1, changed
> state to up
> *Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface FastEthernet0/0, changed state to up
> *Jul 15 14:47:32.435: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface FastEthernet0/1, changed state to up
> *Jul 15 09:47:32: %SYS-6-CLOCKUPDATE: System clock has been
> updated from
> 14:47:32 UTC Sun Jul 15 2007 to 09:47:32 EST Sun Jul 15 2007,
> configured
> from console by console.
> *Jul 15 10:47:32: %SYS-6-CLOCKUPDATE: System clock has been
> updated from
> 09:47:32 EST Sun Jul 15 2007 to 10:47:32 EDT Sun Jul 15 2007,
> configured
> from console by console.
> *Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface Tunnel100101, changed state to down
> *Jul 15 10:47:34: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface NVI0,
> changed state to up
> *Jul 15 10:47:37: %SYS-5-CONFIG_I: Configured from memory by
> console *Jul 15 10:47:37: %FW-6-INIT: Firewall inspection
> startup completed; beginning operation.
> *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console
> logged command:access-list 199 permit icmp host 10.10.10.10
> host 20.20.20.20 *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD:
> User:console logged command:crypto map NiStTeSt1 10
> ipsec-manual
> *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console
> logged command:match address 199
>
> *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console
> logged command:set peer 20.20.20.20
>
> *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console
> logged command:exit
> *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console
> logged command:no access-list 199
> *Jul 15 10:47:37: %PARSER-5-CFGLOG_LOGGEDCMD: User:console
> logged command:no crypto map NiStTeSt1
> *Jul 15 10:47:38: %SYS-5-RESTART: System restarted --
> Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M),
> Version 12.4(13b), RELEASE SOFTWARE (fc3)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2007 by Cisco Systems, Inc.
> Compiled Tue 24-Apr-07 16:18 by prod_rel_team
> *Jul 15 10:47:38: %SNMP-5-COLDSTART: SNMP agent on host ROUTER
> is undergoing a cold start
>
> ----------------------------------------------------------
> Radi Tzvetkoff
> Network Engineer II
> Provado Technologies
> A Logisticare Company
> 503 Oak Place, Ste. 550
> Atlanta, GA 30349
> e-mail: radit (at) logisticare (dot) com [email concealed]
> tel: 800-486-7642 ext 493
> cell: 678-429-6880
> ----------------------------------------------------------
>
> -----Original Message-----
> From: James E. Jones [mailto:ceriofag (at) yahoo (dot) com [email concealed]]
> Sent: Wednesday, July 11, 2007 12:07 PM
> To: incidents (at) securityfocus (dot) com [email concealed]
> Subject: 0day linux 2.6 /dev/mem rootkit found
>
> I found one interesting tool on my server, with the
> name 'Boxer 0.99 BETA3'. It's protected by ELFuck
> linux executables obfuscator. Google doesn't know
> anything about it.
> Now, it is available at http://surfall.net/rel.tar.gz
> (ELFuck password: 'notdead')
> Anybody seen it before?
>
>
>
> ______________________________________________________________
> __________
> ____________
> Choose the right car based on your needs. Check out
> Yahoo! Autos new Car Finder tool.
> http://autos.yahoo.com/carfinder/
>
>
>
> ______________________________________________________________
> __________
> ____________
> Take the Internet to Go: Yahoo!Go puts the Internet in your
> pocket: mail, news, photos & more.
> http://mobile.yahoo.com/go?refer=1GNXIC
>
> --------------------------------------------------------------
> ----------
> -
> This list sponsored by: SPI Dynamics
>
> ALERT: .How a Hacker Launches a SQL Injection Attack!.- White
> Paper It's as simple as placing additional SQL commands into
> a Web Form input
> box
> giving hackers complete access to all your backend systems!
> Firewalls and IDS
> will not stop such attacks because SQL Injections are NOT seen
> as intruders.
> Download this *FREE* white paper from SPI Dynamics for a
> complete guide
> to protection!
>
> https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=7016
0000000Cn8
> E
> --------------------------------------------------------------
> ----------
> --
>
>
> --------------------------------------------------------------
> -----------
> This list sponsored by: SPI Dynamics
>
> ALERT: .How a Hacker Launches a SQL Injection Attack!.- White
> Paper It's as simple as placing additional SQL commands into
> a Web Form input box
> giving hackers complete access to all your backend systems!
> Firewalls and IDS
> will not stop such attacks because SQL Injections are NOT
> seen as intruders.
> Download this *FREE* white paper from SPI Dynamics for a
> complete guide to protection!
>
> https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=7016
0000000Cn8E
> --------------------------------------------------------------
> ------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRqOohIyVGB+6GuDwEQI2VwCfSKO5DhvRxBdltxNxhHZ349ShnbEAoNbH
Ykz2owEsdHpR/g/P9O077P2K
=eLMD
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
-
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8
E
------------------------------------------------------------------------
--

[ reply ]
Phishing e-mail with hidden crap? Aug 17 2007 06:48AM
Nicolas villatte (Nicolas Villatte chello be)


 

Privacy Statement
Copyright 2010, SecurityFocus