I'm reasonably certain it was exploited - the last MSG is related to the bug.
"Stack for process SMI IBC server process running low" -----Original Message----- From: Brandon Applegate [mailto:[email protected]] Sent: Friday, March 16, 2018 2:28 PM To: Nick Cutting <[email protected]> Cc: cisco-nsp mailing list <[email protected]> Subject: Re: [c-nsp] many 2960-X rebooting today This message originated from outside your organization. > On Mar 16, 2018, at 2:08 PM, Nick Cutting <[email protected]> wrote: > > Thanks we have disabled this now - It is in our new build script, these were > rolled out a few months ago. > > I guess there is no way of seeing if this exploit was executed, perhaps in > the crashdump somewhere? I’m struggling to remember. I want to say you will see a %SYS-5-CONFIG - Configured from XXX by YYY message. The questions become: - Are you syslogging out to a server that would have caught this ? - Is there any IP in there of where it was originated from ? - If so - other than an abuse report to the respective ISP and blocking the IP - what can be done ? I guess the other thing I’d add - is if there’s any weak crypto (type 7, or even a weak type 5 etc.) passwords or keys in your config, you might want to change these. In other words, assume they have a copy of your config and act accordingly. PS: This is all assuming it was an exploit like this in the first place. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
