Few other tips: * check if there’s interfaces/tunnels setup that shouldn’t be there (sh int desc | inc Tu) * check for locally configured users that should not be there * check if nat is enabled while it should not be * Is anyone currently logged on that you don’t expect to * see if there’s unexpected tcl scripts in the flash and/or boot media. * Check if the http/https server is configured while it shouldn’t * Disable finger protocol (sometimes enabled by default) * Apply the Cisco-recommended defensive mitigations for CVE-2017-6736 through CVE-2017-6742 for securing any exposed SNMP community strings against a constrained MIB view (configs may be snatched this way) * Apply mitigations for known exploits in the vStack smart install, this is a common entry vector and it’s sometimes enabled by default while not showing in config, leaving devices wide open (show vstack config / no vstack) * I recommend doing a full nmap scan from a public non-trusted IP to see which ports may be open to the world that should, or you do not expect to be open. Adjust your ACL’s based on this. * Check your tacacs/radius config, make sure it’s not replaced/amended with something else that just functions to intercept your passwords * Verify that your ‘line’ configs don’t refer to non-default AAA configs. If the line configuration references a named AAA profile, the previously entered AAA directives will be ineffective Jeroen Wunnink Sr. Manager - Integration Engineering [A picture containing icon Description automatically generated] www.gtt.net<http://www.gtt.net/> From: Randy Bush via NANOG <nanog@lists.nanog.org> Date: Saturday, 30 August 2025 at 20:30 To: North American Network Operators' Group <nanog@lists.nanog.org> Cc: Randy Bush <randy@psg.com> Subject: Re: beware: being old sucks NOTE: This is an external message. Please use caution when replying, opening attachments or clicking on any links in this e-mail. WARNING: Replies to this message will go to nanog-bounces@lists.nanog.org. If you believe this is malicious or are unsure if this is correct, please report it using the Report Phish button and our analysts will investigate it. a fellow nanogger wrote:
I've only *just* gotten to the note from a week or more ago.
+ tftp-server nvram:startup-config <<<<<<====== snmp-server community foo 98 snmp-server trap-source Vlan1 snmp-server location Ashburn VA US
I, too, got this from a RANCID setup I built a long time ago.
and here is the talos report, thanks joe
https://blog.talosintelligence.com/static-tundra/
set `no vstack` in config. no, that is not the default.
I'd told the owner that I didn't think he had control of his gear anymore, but this helped me to convince him to put a new switch in.
moving this to nanog because i did not elaborate on a critical point. when you get this, presume the config of this trivial ancient devic has been snatched. did the device have any burned in users, a la username foo privilege 15 password 7 bar and that uid/pass is used on other, presumably more modern, devices, you need to change the passwords everywhere. same for other credentials, snmp, bgpmd5, ... randy _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HJ64BOPT... NOTICE: This e-mail is only intended for the person(s) to whom it is addressed and may contain confidential information. Unless stated to the contrary, any opinions or comments are personal to the writer and do not represent the official view of GTT Communications Inc or any of its affiliates. If you have received this e-mail in error, please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. All quotes, offers, proposals and any other information in the body of this email is subject to, and limited by, the terms and conditions, signed service agreement and/or statement of work