CISCO 2821 hacked

Unanswered Question
Nov 17th, 2008

Cisco Newbie - know nothing

One of our subsidiary companies has a Cisco 2821 connected to both data and voice providers links. This device is uspported by a thrid party. Recently the device was compromised and a large phone bill was run up with the calls being made from the Cisco 2821. The local maintainer made changes to the 2821 as a result of the compromise (I have details of the cisco config logs before and after the change). My question is - is there ahjyway to interrogate the cisco config to ascertain what secuirty fixes have been applied and when ?

Many thanks for any help you can offer ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Mon, 11/17/2008 - 11:00

Not that I know of. There's not really "security fixes" in the Cisco environment compared to Windows update. Cisco releases IOS versions to fix issues. You could find out what version you are currently running by doing a sh ver at the command line, but that will only tell you the IOS version you're running. You can also do a sh flash or dir and it will show you the files that are in flash. It's possible that you could have two IOSs stored in flash, and one being an earlier version than the current one. (Not everyone has to delete the current version before updating to the new.)


Joseph W. Doherty Mon, 11/17/2008 - 11:44

If you have a before and after copy of the configs, you can run any common "DIFF" utility to see what has changed.

When the changes happened is more difficult to ascertain without prelimary setup.

h.parsons Mon, 11/17/2008 - 12:51

My first question would be whether the 2821 was compromised because of a vulnerability in the version of IOS or was it a lack of security measures enacted on the 2821 thru the configuration.

2go2marketing Tue, 11/18/2008 - 06:43

99.9% of of the time is your latter presumption. Unskilled engineers deploying configurations they have no idea what they do e.g not turning off unused services, etc.


This Discussion