Re: [c-nsp] many 2960-X rebooting today
We ran into this on 3750Xs back in July. Sometimes we saw this: %PLATFORM-1-CRASHED: Debug Exception (Could be NULL pointer dereference) Exception (0x2000)! c.f.: https://lists.gt.net/cisco/nsp/197344 There are links to Cisco's "response" on the matter ... On 3/16/18 2:27 PM, Nick Cutting wrote: I'm reasonably certain it was exploited - the last MSG is related to the bug. "Stack for process SMI IBC server process running low" -Original Message- From: Brandon Applegate [mailto:bran...@burn.net] Sent: Friday, March 16, 2018 2:28 PM To: Nick Cutting <ncutt...@edgetg.com> Cc: cisco-nsp mailing list <cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] many 2960-X rebooting today This message originated from outside your organization. On Mar 16, 2018, at 2:08 PM, Nick Cutting <ncutt...@edgetg.com> wrote: Thanks we have disabled this now - It is in our new build script, these were rolled out a few months ago. I guess there is no way of seeing if this exploit was executed, perhaps in the crashdump somewhere? I’m struggling to remember. I want to say you will see a %SYS-5-CONFIG - Configured from XXX by YYY message. The questions become: - Are you syslogging out to a server that would have caught this ? - Is there any IP in there of where it was originated from ? - If so - other than an abuse report to the respective ISP and blocking the IP - what can be done ? I guess the other thing I’d add - is if there’s any weak crypto (type 7, or even a weak type 5 etc.) passwords or keys in your config, you might want to change these. In other words, assume they have a copy of your config and act accordingly. PS: This is all assuming it was an exploit like this in the first place. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] many 2960-X rebooting today
I'm reasonably certain it was exploited - the last MSG is related to the bug. "Stack for process SMI IBC server process running low" -Original Message- From: Brandon Applegate [mailto:bran...@burn.net] Sent: Friday, March 16, 2018 2:28 PM To: Nick Cutting <ncutt...@edgetg.com> Cc: cisco-nsp mailing list <cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] many 2960-X rebooting today This message originated from outside your organization. > On Mar 16, 2018, at 2:08 PM, Nick Cutting <ncutt...@edgetg.com> wrote: > > Thanks we have disabled this now - It is in our new build script, these were > rolled out a few months ago. > > I guess there is no way of seeing if this exploit was executed, perhaps in > the crashdump somewhere? I’m struggling to remember. I want to say you will see a %SYS-5-CONFIG - Configured from XXX by YYY message. The questions become: - Are you syslogging out to a server that would have caught this ? - Is there any IP in there of where it was originated from ? - If so - other than an abuse report to the respective ISP and blocking the IP - what can be done ? I guess the other thing I’d add - is if there’s any weak crypto (type 7, or even a weak type 5 etc.) passwords or keys in your config, you might want to change these. In other words, assume they have a copy of your config and act accordingly. PS: This is all assuming it was an exploit like this in the first place. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] many 2960-X rebooting today
> On Mar 16, 2018, at 2:08 PM, Nick Cuttingwrote: > > Thanks we have disabled this now - It is in our new build script, these were > rolled out a few months ago. > > I guess there is no way of seeing if this exploit was executed, perhaps in > the crashdump somewhere? I’m struggling to remember. I want to say you will see a %SYS-5-CONFIG - Configured from XXX by YYY message. The questions become: - Are you syslogging out to a server that would have caught this ? - Is there any IP in there of where it was originated from ? - If so - other than an abuse report to the respective ISP and blocking the IP - what can be done ? I guess the other thing I’d add - is if there’s any weak crypto (type 7, or even a weak type 5 etc.) passwords or keys in your config, you might want to change these. In other words, assume they have a copy of your config and act accordingly. PS: This is all assuming it was an exploit like this in the first place. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] many 2960-X rebooting today
Thanks we have disabled this now - It is in our new build script, these were rolled out a few months ago. I guess there is no way of seeing if this exploit was executed, perhaps in the crashdump somewhere? -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Brandon Applegate Sent: Friday, March 16, 2018 1:19 PM To: cisco-nsp mailing list <cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] many 2960-X rebooting today This message originates from outside of your organisation. > On Mar 16, 2018, at 12:49 PM, Nick Cutting <ncutt...@edgetg.com> wrote: > > Anyone seen a number of internet facing 2960-X switches restart today? > > We have had 3 different clients, 6 different switches all reboot today. > > No uptime in common, no code version in common. > > One of them has WS-C2960X-24TS-L - Version 15.2(2)E6 > > The only thing they do have in common is that they have internet IP addresses > for MGT - with SSH allowed, locked down to certain public IP's. > > Just wondering if this may be the execution of an exploit by a baddie. > > Nick I haven’t - but the first thing that popped into my head was: https://github.com/Sab0tag3d/SIET You might want to scan/nmap your switches. I know some folks that got hit with this last year. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] many 2960-X rebooting today
> On Mar 16, 2018, at 12:49 PM, Nick Cuttingwrote: > > Anyone seen a number of internet facing 2960-X switches restart today? > > We have had 3 different clients, 6 different switches all reboot today. > > No uptime in common, no code version in common. > > One of them has WS-C2960X-24TS-L - Version 15.2(2)E6 > > The only thing they do have in common is that they have internet IP addresses > for MGT - with SSH allowed, locked down to certain public IP's. > > Just wondering if this may be the execution of an exploit by a baddie. > > Nick I haven’t - but the first thing that popped into my head was: https://github.com/Sab0tag3d/SIET You might want to scan/nmap your switches. I know some folks that got hit with this last year. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] many 2960-X rebooting today
Anyone seen a number of internet facing 2960-X switches restart today? We have had 3 different clients, 6 different switches all reboot today. No uptime in common, no code version in common. One of them has WS-C2960X-24TS-L - Version 15.2(2)E6 The only thing they do have in common is that they have internet IP addresses for MGT - with SSH allowed, locked down to certain public IP's. Just wondering if this may be the execution of an exploit by a baddie. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/