[cisco-ttl] Re: router telnet erisimi hatasi

From: ozdensicim (ozdensicim_at_yahoo.com)
Date: Wed Feb 23 2005 - 17:54:49 EET


Merhaba, Sorunun saldırıdan kaynaklanmasının mumkun olmadigini
dusunerek, bug ile ilgili sayfada yazanları uyguladim. Sonunda sorunu
cozdum.

Bug dan dolayı daha once yapılmıs bir cok telnet baglantısının askıda
kaldıgını farkettim. Bunları da snmp aracılıgıyla öldürdüm. Cisco'da
bug ile ilgili sayfada neler yapılması gerektigi yazıyor (
http://www.cisco.com/warp/public/477/SNMP/fixTCPhang.html )...

Kisaca anlatmak gerekirse sunlari yaptim:
1) http://www.net-snmp.org dan snmp programını yukledim.
2) Askıda olan tcp baglantilarini buldum. (23 telnet portu)

c:\snmpgetnext -v 2c -c COMMUNITY_PUBLIC REMOTE_IP_ADD TcpConnState
TCP-MIB::tcpConnState.REMOTE_IP_ADD.23.PC_IP_ADD.PC_PORT = INTEGER:
closeWait(8)

3) Baglantilari kestim. Yanlız bir cok baglanti askida kaldigi icin 2
ve 3. basamaklari bir cok kez yaptim.

c:\>snmpset -c COMMUNITY_PRIVATE -v 2c REMOTE_IP_ADD
tcpConnState.REMOTE_IP_ADD.23.PC_IP_ADD.PC_PORT integer deleteTCB
TCP-MIB::tcpConnState.REMOTE_IP_ADD.23.PC_IP_ADD.PC_PORT = INTEGER:
deleteTCB(12)

4) Daha sonra TCP baglantisini öldüğünü tcpConnState'e tekrar bakarak
anlayabiliyoruz.

C:\>snmpgetnext -v 2c -c COMMUNITY_PUBLIC REMOTE_IP_ADD TcpConnState
TCP-MIB::tcpConnState.REMOTE_IP_ADD.23.PC_IP_ADD.PC_PORT = INTEGER:
closed(1)

Özden

--- In cisco-ttl_at_yahoogroups.com, Serhat Uslay <serhat.uslay_at_z...> wrote:
>
> ama gercekten boyle bir saldirinin oldugunu gosteren kanit lazim, belki
> router log'lari yardimci olur..
>
>
> Please respond to cisco-ttl_at_yahoogroups.com
>
> To: cisco-ttl_at_yahoogroups.com
> cc:
> Subject: Re: [cisco-ttl] Re: router telnet erisimi hatasi
>
>
>
> Advisory'den bir alinti:
>
> "Exploitation and Public Announcements
>
> The Cisco PSIRT is aware of exploitation of this vulnerability and is
> recommending customers take action to protect themselves."
>
> Bir virus ya da worm olarak degil ancak bu acigi kullanan saldirilar
> tesbit edildi.
>
> Ilker
>
> Serhat Uslay wrote:
> >
> > bu aciklandi ama ben pratikte bunu kullanan bir virus yada worm
> gormedim..
> > Emin misin boyle bir saldiri olduguna ??
> > Serhat
> >
> >
> > Please respond to cisco-ttl_at_yahoogroups.com
> >
> > To: cisco-ttl_at_yahoogroups.com
> > cc:
> > Subject: [cisco-ttl] Re: router telnet erisimi hatasi
> >
> >
> >
> >
> >
> >
> > Cisco'da daha once baktigimda goremedigim bir bug buldum.
> > http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
> > Adresinden de acıklaması mevcut.
> > Tsk.
> >
> > Ozden
> >
> > --- In cisco-ttl_at_yahoogroups.com, Serhat Uslay <serhat.uslay_at_z...>
> wrote:
> >
> >>Ben bunu daha once gormustum ama hatirlayamadim niye oldugunu
> >>1) herhalde mevcut 4 Telnet line'i dolu oldugu zaman (bazen
session not
> >>cleared up properly !)...
> >>2) Eger seninle router arasinda Telnet't bloke eden bir firewall
varsa..
> >>
> >>Console a erisme imkanin yokmu yada aux'leriye modem ile... ??
> >>
> >>Serhat
> >>
> >>
> >>
> >>Please respond to cisco-ttl_at_yahoogroups.com
> >>
> >>To: cisco-ttl_at_yahoogroups.com
> >>cc:
> >>Subject: [cisco-ttl] router telnet erisimi hatasi
> >>
> >>
> >>
> >>
> >>Merhaba, Cisco 1760 router'a daha onceleri telnet ile
> >>erisebiliyorken simdi "remote host not responding"
> >>hatası alıyorum. Halbuki ping atabiliyorum ve "sh cdp
> >>ne" ile gorebiliyorum. Routerda Telnet erisimi icin
> >>access-list falan da mevcut degil. Line larında dolu
> >>olmadigini dusunuyorum cunku dolu olunca farklı bir
> >>hata mesajı (Remote system refused the
> >>connection)veriyor. Uzerinde IPBASE 12.3(6b) IOS var.
> >>Cisco'dan arastirdim bu ios'a ait bircok bug var fakat
> >>bu sorunla ilgili bir bilgi bulamadım. Router'in
> >>durduk yere telnet erisimini kapatmasinin sebebi ne
> >>olabilir bir fikri olan var mi?
> >>Tesekkurler,
> >>
> >>Özden Sicim
> >>
> >>
> >>
> >>__________________________________
> >>Do you Yahoo!?
> >>Take Yahoo! Mail with you! Get it on your mobile phone.
> >>http://mobile.yahoo.com/maildemo
> >>
> >>
> >>
> >>
> >>
> >>Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
> >>
> >>Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com
adresine bir
> >>e-posta gönderebilirsiniz.
> >>Yahoo! Groups Links
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>----
> >>This email is intended for the named recipient only. It may contain
> >
> > information which is confidential, commercially sensitive, or
> > copyright. If you are not the intended recipient you must not
> > reproduce or distribute any part of the email, disclose its contents,
> > or take any action in reliance. If you have received this email in
> > error, please contact the sender and delete the message. It is your
> > responsibility to scan this email and any attachments for viruses and
> > other defects.
> >
> >>To the extent permitted by law, Zurich and its associates will not
> >
> > be liable for any loss or damage arising in any way from this
> > communication including any file attachments. We may monitor email you
> > send to us, either as a reply to this email or any email you send to
> > us, to confirm our systems are protected and for compliance with
> > company policies. Although we take reasonable precautions to protect
> > the confidentiality of our email systems, we do not warrant the
> > confidentiality or security of email or attachments we receive.
> >
> >>[Non-text portions of this message have been removed]
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
> >
> > Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com
adresine bir
> > e-posta gönderebilirsiniz.
> > Yahoo! Groups Links
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ----
> > This email is intended for the named recipient only. It may contain
> information which is confidential, commercially sensitive, or copyright.
> If you are not the intended recipient you must not reproduce or
distribute
> any part of the email, disclose its contents, or take any action in
> reliance. If you have received this email in error, please contact the
> sender and delete the message. It is your responsibility to scan this
> email and any attachments for viruses and other defects.
> > To the extent permitted by law, Zurich and its associates will not be
> liable for any loss or damage arising in any way from this communication
> including any file attachments. We may monitor email you send to us,
> either as a reply to this email or any email you send to us, to confirm
> our systems are protected and for compliance with company policies.
> Although we take reasonable precautions to protect the
confidentiality of
> our email systems, we do not warrant the confidentiality or security of
> email or attachments we receive.
> >
> > [Non-text portions of this message have been removed]
> >
> >
> >
> > Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
> >
> > Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com
adresine bir
> e-posta gönderebilirsiniz.
> > Yahoo! Groups Links
> >
> >
> >
> >
> >
> >
> >
>
>
> Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
>
> Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir
> e-posta gönderebilirsiniz.
> Yahoo! Groups Links
>
>
>
>
>
>
>
>
>
>
>
>
> ----
> This email is intended for the named recipient only. It may contain
information which is confidential, commercially sensitive, or
copyright. If you are not the intended recipient you must not
reproduce or distribute any part of the email, disclose its contents,
or take any action in reliance. If you have received this email in
error, please contact the sender and delete the message. It is your
responsibility to scan this email and any attachments for viruses and
other defects.
> To the extent permitted by law, Zurich and its associates will not
be liable for any loss or damage arising in any way from this
communication including any file attachments. We may monitor email you
send to us, either as a reply to this email or any email you send to
us, to confirm our systems are protected and for compliance with
company policies. Although we take reasonable precautions to protect
the confidentiality of our email systems, we do not warrant the
confidentiality or security of email or attachments we receive.
>
> [Non-text portions of this message have been removed]

Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/cisco-ttl/

<*> To unsubscribe from this group, send an email to:
    cisco-ttl-unsubscribe_at_yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 



This archive was generated by hypermail 2.1.3 : Wed Feb 23 2005 - 17:57:57 EET