hello everybody
here is my big problem :
i m an admin of a box that has a NAT server behind a router ( cisco ) i have 2addresse in the net server public and private one
the probleme is , that the admin of the router has descovred that someone has loged into his box ( cisco ) using the public addresse of the NAT server , i thought it's someone that have a private one and beeing masqueraded , well i cheked all today's connections ( i have a script that do the ipchains -L -M work ) , the probleme is there is no connection to the router over t he port 23 ; not one at all , this means the attacker wasen't one of my clients ( because i m the admin of the NAT machine) , thus i thought about beeing spoofed , someone got the IP of my nat server and used it to login the router , i even thought my box was compromized , i installed chkrooutkit , but it doesn't dtetected anything suspect i did this :
grep -r xxx.xxx.xxx.xxx /var/log/ ( where xxx.. = ROUTER IP) but nothing much this connexion isn't loged , PLEASE can someone help me , because the boss thiks i m the attacker since it's my machine , here is a worst stuff i had today !
thnx from theadvence and sorry for the bad english

In case of doubt, regard the box as compromised, and act on it.

1. Since the Cisco is involved, please tell us:
- how long ago this incident happened,
- what the exact "evidence" was,
- if the admin took precautions and steps towards recovery and what they where,
- if adjacent boxen, subnets are (to be) investigated.


2. How you handle compromise detection and recovery of your NAT box depends on if the box is critical wrt business or not.
In any case you should:
- officially alert upper mgmnt, local IT dept, Security Officer or Incident Response Team (where available) of a suspected incident. If they are available, let them handle the process and do not access the box,
- let upper mgmnt alert customers or upstream ISP's (where applicable),
- ask assistance from experienced admins if available.


3. Your next step is to isolate the box from the network to remove the risk of it being part of the compromise. Before you do so, please tell us in detail about the box, it's services, accounts, upgrades, hardening measures etc etc. Please provide any details, anomalies you found in authentication, login, user, system or daemon config, resource or log files (and if you're responsable for investigating subnets behind the NAT too).

It would also help to know if there were any modifications made to the Cisco router(?)'s routing table, ACLs, etc... anything different can tip you to where the attack came from.

By the way, this shows why it's generally dangerous to allow IP connectivity for administration of network devices. It's much better (if you can afford it) to use a terminal server connected to the other devices with serial cables (then lock down the terminal server like crazy with IDS, security kernel patches, etc).

//Moderator OT note: Chort, you familiar with CREED? The Cisco evidence disk?

well first of all thanx for the reply ! this helped me so much .
after a long time of investigation i found that my box wasn't involved anymore , well let's say it was just used as gateway to acces the router , somebody of our staff ( which has a private ip) was sniffing the router and making a grep on each packet going to port 23 ( telnet ) he gor the pass that way , after that he loged in but he hasent all privilages ( i m notreally a cisco guru but they said: there is an other pass to get the root's ) that privilages since i m not teh router admin , i just gives the admin an advice : TO USE SSH rather then the insecure telnet , hope they will listen to me , thanx again for ur advices , now i m doing some research to set up a so secure machine from scratch ! ( hope a good luck for me )
over .

Nope, never heard of it. That sounds like it would be very useful, though. Cisco sure has had a lot of remotely exploitable vulns recently

As far as I know Cisco doesn't support SSH.
Your right. Cisco has two mode, unprivileged and privileged mode.
In unprivileged mode you can run some show commands and some information but to do any configuration you will have to enter privileged mode, which should require a password.

Some Cisco products do support ssh, I just forget which. It might only be their management devices, though.