Hello - this is from a Cisco router running IOS 12.1(6) - am I seeing a buffer overflow attack, or just some weirdness? This shows under debug logging ... and this comes seemingly from the router itself, which I find weird. It almost looks like it's trying to get/send something, like syslog stuff.

Please give me a pointer on this; it's weird enough to have caught my eye in looking over logs today.

Syslog Message:

0�Ò<002><001><000><004><007>version¤�Ã<006><006>+<006><001><004><001><009>@<004>†rY<001><002><001><006><002><001><001>C<004><003>¬üÆ0�¦0<018><006><013>+<006><001><004><001><009><002><009><003><001><001><002><001><002><001><005>0<028><006><023>+<006><001><002><001><006><013><001><001>�<006>rY<001><023>�<006>rY<009>‚È<029><002><001><004>0<031><006><025>+<006><001><004><001><009><002><006><001><001><005>�<006>rY<001><023>�<006>rY<009>‚È<029><002><002>)·0<030><006><025>+<006><001><004><001><009><002><006><001><001><001>�<006>rY<001><023>�<006>rY<009>‚È<029><002><001>g0<031><006><025>+<006><001><004><001><009><002><006><001><001><002>�<006>rY<001><023>�<006>rY<009>‚È<029><002><002>EÙ0<016><006><012>+<006><001><004><001><009><002><009><002><001><018><002><004><000>

Actually ... something quick here - it *looks* like a reboot, almost ... the <>'s are control characters ... but these come about during the day - when THE ROUTER SHOULD BE SOLIDLY UP!

<sigh>

~N~

I haven't seen that :confused:
Post your question at the
Cisco IDS Discussion Forum (http://forums.cisco.com/eforum/servlet/NetProf;jsessionid=47rru60nr1.SJ2B?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_messages%26mode%3Dnew%26location%3D.ee6e1fc)

Let us know what you find out :p and Good Luck!

Hmmm ... well, it's over at Cisco now. I'll keep you posted!

~N~

Yeah - I *think* it's a message that's generated when I log into the router and hit either the logs or NVRAM. <sigh> Weird, though.

~N~

tks for keeping us informed. I am interested in what cisco says.

have cisco answered yet? i'm just curious 'cause i have a tac open with them and no ans...

Bah - still no reply. The actual question is located here:
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.ee7ae43

Stupid. However, I *did* find that it's 100% tied to either hitting NVRAM or local logs on the router (buffer). It's also a DEBUG level errormessage from the router ... so as far as I'm concerned, the forums kind of let me down here, but I am satisfied that it's just an oddity of logging EVERYTHING (which I do. :) ) and not a threat.

In fact, I guess I'm staking my job on it. :/
~N~

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.ee7ae43
This should let that link come through ... I think. :)

~N~

F'-em. I have no responses. SO ... I'm working now that correlation==causality.
Not great, but it's what I'm left with.

Someone else could verify this by logging debug messages to syslog, then going and hitting NVRAM and buffered logs (sh log) on a router - we'd still have correlational work only, but at least it'd be from more than 2 sites (my work & home router - both running on the same router model, same IOS version, different build).

~N~

that's definetly a buffer overflow attack. Did you see a slowdown or anything because of it?

that's definetly a buffer overflow attack. Did you see a slowdown or anything because of it?
Didn't see any slowdown in the system because of it ... but it seems weird that I can reproduce the exact same message (with no syslog ID number, you'll notice) by either hitting the router's NVRAM or local logs. So if it *is* a buffer overflow, I am able to do it from inside our DMZ here by just doing either of the above two items.

~N~