I can tie this slightly on topic, but it's really not (but no doubt someone
here will know). I've got a box that was hacked yesterday (not a box I
admin or even have passwords to, but one on my network). Someone is using
it for a drop box for ftp. For now, I've just killed everything with
blocking incoming ftp and outgoing ftp-data to the box until the clueless
admin can fix it (same CCNA I've complained about before). Oh, get this,
this same clueless CCNA was told by a customer last week that they didn't
want to talk to him anymore when he argued with them when the customer asked
for the speed and number their ISDN router was calling, and he told them
ISDN doesn't dial. I smoothed it all over and solved it (PBI/SBC had lost
their password and was rejecting login).
I've got my own personal linux box that I've saved some raw tcpdump captures
of the transfers (just after I remove the ACL block and see a few logins
occur), but I don't have anything that can view it intelligently. Sniffer
Pro just says it's a file format it doesn't recognize (if I could get
Sniffer Pro on the subnet, I could solve this real easy, but I don't feel
like driving in to solve a problem that's not mine). So, what I want to see
is the actual ftp (tcp/21) session info (how they are logging in, where they
are going and what they are downloading). From what I can tell in the
gibberish file, it looks like they're logging in anonymously and going to
vti_cfg and downloading vti_log from somewhere, and possibly something with
local drives (c, d, e, etc.). Got me, but I figure I should solve as much
of this as I can before this clueless admin gets into the box and wipes out
the evidence without knowing it. Anyone have a Win32 app that can read
tcpdump raw capture files?
Oh, I noticed this as all of our T1s outgoing bandwidth was locked solid at
189K as of last night. It all came from a single ethernet interface, and I
know there are only 5 devices on that subnet (2 nameservers I maintain, my
personal linux box, pix firewall, and this stupid iis box that this admin
refuses to put behind the pix saying he has it secure. Hehee, guess where
that box will be by the end of tomorrow?).
Here's my on topic tie-in explaining what I blocked for all those wanting to
learn about ACLs!
e0/0 is where the hacked box is, the serial ports go out to our different
ISPs (also, this shows how to add/modify an ACL without locking yourself
out, in other words, remove it from the interfaces first, then modify, then
re-apply it):
int s0/1
no ip access-group 199 in
int s1/1
no ip access-group 199 in
int s1/2
no ip access-group 199 in
no access-list 199
access-list 199 permit tcp host 63.206.176.163 host 207.92.43.210 eq ftp ;
let my box in
access-list 199 deny tcp any host 207.92.43.210 eq ftp
!access-list 199 deny tcp any host 207.92.43.210 ; I used this at first to
just kill it all
access-list 199 permit ip any any
int s0/1
ip access-group 199 in
int s1/1
ip access-group 199 in
int s1/2
ip access-group 199 in
int e0/0
no ip access-group 198 in
no access-list 198
access-list 198 permit tcp host 207.92.43.210 eq ftp-data host
63.206.176.163 ; let my box in
access-list 198 deny tcp host 207.92.43.210 eq ftp-data any
access-list 198 permit ip any any
int e0/0
ip access-group 198 in
--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=1568t=1568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
