ISC reader Nick contacted us to share information about an Internet router at his workplace that got hacked this weekend. There's several nuggets to learn from in this story, so here goes.
3/28/2009 8:34:02 Authen OK test
A successful login of a user "test" is definitely not a welcome sight in the TACACS authentication log of an Internet router. And the commands that follow are a clear indication that something sinister is going on. We know since Cliff Stoll's experience that somebody who needs to constantly look over his shoulder while connected (issuing the "who" command) isn't up to any good.
At this time though, Nick's firm didn't know this yet ... And the command log continues
3/28/2009 8:38:38 test Default Group show configuration <cr>
Whoa! The bad guy is not wasting any time. Barely five minutes after connecting, and he has configured a network tunnel back to his home base.
3/28/2009 8:47:23 test Default Group configure terminal <cr>
As a next step, the bad guy changes the locally configured passwords. This doesn't make much of a difference, since these accounts only are used when the central TACACS database is not reachable. While the hacker shows quite some familiarity with setting up an IP tunnel on a Cisco router, he doesn't seem to fully grasp the significance of the TACACS entries in the configuration: since TACACS includes accounting logs, all his commands get recorded.
At 08:52, the bad guy logs off, and Nick's firm is still completely unaware that their perimeter router has just been subverted. But not for long: At 09:00, their "RANCID" script kicks in, pulls the current configuration off the router, compares it with the "last known good" configuration, and immediately e-mails the changes to the network admin. Luckily, the admin understands the significance of what he sees right away, and alerts the incident response team. A while later, the "test" user is removed, the config is cleaned up again, and the bad guy is locked out.
Nick's own "lessons learned" that he shared with us are:
- Disable outside management of Internet routers unless 100% required
To which we at SANS ISC would like to add our own
- What saved the day here is the use of "RANCID", which acted like a trip wire. Something the bad guy clearly didn't expect
Thanks to Nick for sharing the logs and information about the attack!
Mar 30th 2009
9 years ago
Noticed this in my logs this morning...
Apr/21/2002 09:05:44 TWINGE ATTACK Detect Packet Dropped
Apr/21/2002 09:05:43 TWINGE ATTACK Detect Packet Dropped
Apr/17/2002 12:12:13 TWINGE ATTACK Detect Packet Dropped
Apr/17/2002 12:01:16 TWINGE ATTACK Detect Packet Dropped
Apr/17/2002 11:50:20 TWINGE ATTACK Detect Packet Dropped
Apr/17/2002 11:39:23 TWINGE ATTACK Detect Packet Dropped
So far only the two attempts, but I've never heard of a Twinge before. Nothing in my logs though referring to what Nick had, yet...
Apr 1st 2009
9 years ago