> On Mar 16, 2018, at 2:08 PM, Nick Cutting <[email protected]> wrote: > > Thanks we have disabled this now - It is in our new build script, these were > rolled out a few months ago. > > I guess there is no way of seeing if this exploit was executed, perhaps in > the crashdump somewhere?
I’m struggling to remember. I want to say you will see a %SYS-5-CONFIG -
Configured from XXX by YYY message.
The questions become:
- Are you syslogging out to a server that would have caught this ?
- Is there any IP in there of where it was originated from ?
- If so - other than an abuse report to the respective ISP and blocking
the IP - what can be done ?
I guess the other thing I’d add - is if there’s any weak crypto (type 7, or
even a weak type 5 etc.) passwords or keys in your config, you might want to
change these. In other words, assume they have a copy of your config and act
accordingly.
PS: This is all assuming it was an exploit like this in the first place.
--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A
"For thousands of years men dreamed of pacts with demons.
Only now are such things possible."
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
