Seeing something *weird* in router logs ...

**nietzsche** · February 11th, 2002, 10:03 PM

Hello - this is from a Cisco router running IOS 12.1(6) - am I seeing a buffer overflow attack, or just some weirdness? This shows under debug logging ... and this comes seemingly from the router itself, which I find weird. It almost looks like it's trying to get/send something, like syslog stuff.

Please give me a pointer on this; it's weird enough to have caught my eye in looking over logs today.

Syslog Message:

0Ò<002><001><000><004><007>version¤Ã<006><006>+<006><001><004><001><009>@<004>†rY<001><002><001><006><002><001><001>C<004><003>¬üÆ0¦0<018><006><013>+<006><001><004><001><009><002><009><003><001><001><002><001><002><001><005>0<028><006><023>+<006><001><002><001><006><013><001><001><006>rY<001><023><006>rY<009>‚È<029><002><001><004>0<031><006><025>+<006><001><004><001><009><002><006><001><001><005><006>rY<001><023><006>rY<009>‚È<029><002><002>)·0<030><006><025>+<006><001><004><001><009><002><006><001><001><001><006>rY<001><023><006>rY<009>‚È<029><002><001>g0<031><006><025>+<006><001><004><001><009><002><006><001><001><002><006>rY<001><023><006>rY<009>‚È<029><002><002>EÙ0<016><006><012>+<006><001><004><001><009><002><009><002><001><018><002><004><000>

**nietzsche** · February 11th, 2002, 10:10 PM

Actually ... something quick here - it *looks* like a reboot, almost ... the <>'s are control characters ... but these come about during the day - when THE ROUTER SHOULD BE SOLIDLY UP!

<sigh>

~N~

**niboreon** · February 11th, 2002, 10:44 PM

I haven't seen that

Post your question at the
Cisco IDS Discussion Forum

Let us know what you find out

and Good Luck!

**nietzsche** · February 11th, 2002, 11:00 PM

Hmmm ... well, it's over at Cisco now. I'll keep you posted!

~N~

**nietzsche** · February 12th, 2002, 12:44 AM

Yeah - I *think* it's a message that's generated when I log into the router and hit either the logs or NVRAM. <sigh> Weird, though.

~N~

***gold eagle*** · February 12th, 2002, 01:54 PM

tks for keeping us informed. I am interested in what cisco says.

**nabylbt** · February 13th, 2002, 11:01 AM

have cisco answered yet? i'm just curious 'cause i have a tac open with them and no ans...

**nietzsche** · February 14th, 2002, 08:26 AM

Bah - still no reply. The actual question is located here:
http://forums.cisco.com/eforum/servl...%40%40.ee7ae43

Stupid. However, I *did* find that it's 100% tied to either hitting NVRAM or local logs on the router (buffer). It's also a DEBUG level errormessage from the router ... so as far as I'm concerned, the forums kind of let me down here, but I am satisfied that it's just an oddity of logging EVERYTHING (which I do.

) and not a threat.

In fact, I guess I'm staking my job on it. :/
~N~

**nietzsche** · February 14th, 2002, 08:27 AM

http://forums.cisco.com/eforum/servl...%40%40.ee7ae43

This should let that link come through ... I think.

~N~

**nietzsche** · February 15th, 2002, 07:56 AM

F'-em. I have no responses. SO ... I'm working now that correlation==causality.
Not great, but it's what I'm left with.

Someone else could verify this by logging debug messages to syslog, then going and hitting NVRAM and buffered logs (sh log) on a router - we'd still have correlational work only, but at least it'd be from more than 2 sites (my work & home router - both running on the same router model, same IOS version, different build).

~N~

Thread: Seeing something weird in router logs ...

Thread Tools

Display