Anybody knows this log message ?

shsong21 · ‎07-20-2008

Hi,

I have one question for you all.

I found this log meessage on my Cat6509 switch. But I don't know what this log means. So, I need your help.

-----------------------------------------

Jul 12 16:13:12: %RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from 110.254.x.x

Jul 12 16:13:13: %RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from 110.254.x.x

Jul 12 16:14:37: %RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from 110.254.x.x

Jul 12 16:14:38: %RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from 110.254.x.x

Jul 16 07:40:49: %MLS_STAT-SP-4-IP_LEN_ERR: MAC/IP length inconsistencies

-----------------------------------------

tearl42 · ‎07-20-2008

Hey there...

The short of it is that someone is trying to connect to your 6509 using RSH and your not configured for it. The second message (MLS_STAT) looks a little more pressing...

I used the Error Message Decoder (http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi) and here is what it spit out...

1. %RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from [chars]

An attempt was made to connect to a router through the remote shell syslog port, but the router was not configured as an rsh or RCP server.

Recommended Action: Configure the server to use rsh or RCP.

2. %RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from [IP_address]

An attempt was made to connect to a router through the rshell port (514), but the router was not configured as an rsh or RCP server.

Recommended Action: Configure an rsh or RCP server.

1. %MLS_STAT-4-IP_LEN_ERR: MAC/IP length inconsistencies

The system has received one or more packets that have an IP length that does not match the physical length.

Recommended Action: Copy the error message exactly as it appears on the console or in the system log. Enter the show mls statistics command to gather data that may help identify the nature of the error. If you cannot determine the nature of the error from the error message text or from the show mls statistics command output, contact your Cisco technical support representative and provide the representative with the gathered information.

Related documents- No specific documents apply to this error message.

shsong21 · ‎07-20-2008

Hi there,

Thanks for your reply.

You said that 'configure the server to use rsh or RCP'.

Why do I config like that ?

And, I got a related document and I checked out this one. It said that deny with ACL on all interface.

But you said that configure the sever to use it. So, I confused so much.

I'm so sorry but could you explain more deatil for me ?

First, I knew that it is some hacking try to the switch. Isn't hacking ?

Regards,

Giuseppe Larosa · ‎07-20-2008

Hello Soo,

enabling remote shell is not recommended for security reasons.

In the previous post the error message decoder output is reported that it is not a suggestion that comes from a person it is part of an automatic answer.

Let me say that is a default recommended action that int this case shouldn't be followed.

Yes, somebody or some device is trying to get access to your switch.

Get the source ip address and you will find the pc from where rcp attempts are done.

About the second message could be a form of attack too.

Hope to help

Giuseppe

shsong21 · ‎07-21-2008

Hi,

Thanks for your reply.

Yes, I agree with you.

BTW, What is 'rcp' ?

Im so sorry but, could you explain more detail for me ?

I seem you are a best engineer.

Regards,