Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Has someone in Asia exploited Cisco

  • From: Robert Guess
  • Date: Thu Sep 01 09:28:42 2005

Offhand, I would be tempted to say it is the activity of a not
exceedingly competent attacker trying to exploit a very old bug. The
sender is probing for the HTTP Authentication Bypass Issue from June 27

Original Advisory 

Malicious request:  http://<device_addres>/level/16/exec/ 

Analyze the timing and source of log events to determine if it is an
automated issue. 

Robert Guess
Assistant Professor, Information Systems Technology
Tidewater Community College
(757) 822-5022

()  ascii ribbon campaign 
/\  against html email 

>>> "J. Oquendo" <> 09/01/05 9:07 AM >>>

After doing some logfile analysis briefly yesterday, I noticed what
to be some form of bot, worm, something, searching for what could seems
point to a Cisco exploitation of sorts. (

All the hosts who've tried searching for the string are coming from
So I'm wondering... Has someone taken Michael Lynn's paper "Holy
and produced a "DaVinci Code" to exploit the flaws Lynn spoke of...

Code snippet below is of "cisco_scanner.c" which searches for the same
particular /level/16/exec/-///pwd string however the code can be
(obviously) and a search turns up less than one page of results on
Author's page seems to be gone like the wind... Anyhow.

# grep "/level/16/exec/-///" access_log |awk '{print $1,"\t\t"$7}'            /level/16/exec/-///pwd         /level/16/exec/-///pwd           /level/16/exec/-///pwd           /level/16/exec/-///pwd           /level/16/exec/-///pwd          /level/16/exec/-///pwd           /level/16/exec/-///pwd           /level/16/exec/-///pwd           /level/16/exec/-///pwd          /level/16/exec/-///pwd $ABOVE_HOSTS

Code snippet...

        Multi-thread Cisco HTTP vulnerable scanner v0.2
		by Inode

#define HTTP_REQUEST "GET /level/16/exec/-///pwd  HTTP/1.0\n\n"

So now I have yet another mod_security rule added ;)

SecFilterSelective THE_REQUEST "/level/16"

J. Oquendo
GPG Key ID 0x97B43D89 

It is much easier to suggest solutions when you know nothing
about the problem. -- Niklaus Wirth

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.