Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Has someone in Asia exploited Cisco

  • From: J. Oquendo
  • Date: Thu Sep 01 09:08:58 2005


After doing some logfile analysis briefly yesterday, I noticed what seems
to be some form of bot, worm, something, searching for what could seems to
point to a Cisco exploitation of sorts. (http://tinyurl.com/df9d8)

All the hosts who've tried searching for the string are coming from APNIC.
So I'm wondering... Has someone taken Michael Lynn's paper "Holy Grail"
and produced a "DaVinci Code" to exploit the flaws Lynn spoke of...

Code snippet below is of "cisco_scanner.c" which searches for the same
particular /level/16/exec/-///pwd string however the code can be modified
(obviously) and a search turns up less than one page of results on Google.
Author's page seems to be gone like the wind... Anyhow.


# grep "/level/16/exec/-///" access_log |awk '{print $1,"\t\t"$7}'
58.236.50.75            /level/16/exec/-///pwd
221.141.168.137         /level/16/exec/-///pwd
221.138.93.31           /level/16/exec/-///pwd
218.53.244.16           /level/16/exec/-///pwd
222.232.84.34           /level/16/exec/-///pwd
222.238.128.14          /level/16/exec/-///pwd
218.50.74.189           /level/16/exec/-///pwd
218.239.26.42           /level/16/exec/-///pwd
218.232.83.18           /level/16/exec/-///pwd
211.208.254.67          /level/16/exec/-///pwd

whois.apnic.net $ABOVE_HOSTS


Code snippet...

/*
        Multi-thread Cisco HTTP vulnerable scanner v0.2
		by Inode
*/

#define HTTP_REQUEST "GET /level/16/exec/-///pwd  HTTP/1.0\n\n"

So now I have yet another mod_security rule added ;)

SecFilterSelective THE_REQUEST "/level/16" "redirect:http://www.cisco.com";

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

It is much easier to suggest solutions when you know nothing
about the problem. -- Niklaus Wirth




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.