I'm wondering if anyone that recently upgraded to IOS 12.3 on any access servers have run into this problem... We recently upgraded our AS5x00 access servers to the 12.3(x) main line. Upon doing so we started seeing some very strange RADIUS accounting records coming from IP addresses all over the Internet. Normally these boxes are ACL'd but upon scanning an IP address that the routers listen on nmap shows a slew of open TCP service ports which accept connections. Upon connecting to one of the ports we're prompted for username and password just as if we connected to the VTY management lines. If we try to log in, it queries the RADIUS server. The question is why suddenly are the routers answering on tons of ports, is there a way to turn these service ports off? Normally these routers only listen on port 22/23 and 514 at best. Upon nmapping the access servers now, we see something like the below. (TAC suggested an access-list; I know we can apply an access-list to block all this, but then that means we have to put ingress access-lists on every interface, including connected modem users, etc.) 2001/tcp open dc 2003/tcp open cfingerd 2005/tcp open deslogin 2007/tcp open dectalk 2008/tcp open conf 2009/tcp open news 2011/tcp open raid-cc 2012/tcp open ttyinfo 2013/tcp open raid-am 2014/tcp open troff 2015/tcp open cypress 2016/tcp open bootserver 2019/tcp open whosockami 2021/tcp open servexec 2022/tcp open down 2023/tcp open xinuexpansion3 2025/tcp open ellpack 2026/tcp open scrabble 2027/tcp open shadowserver 2028/tcp open submitserver 2030/tcp open device2 2034/tcp open scoremgr 2035/tcp open imsldoc 2041/tcp open interbase 2042/tcp open isis 2043/tcp open isis-bcast 2044/tcp open rimsl 2045/tcp open cdfunc 2046/tcp open sdfunc 2049/tcp open nfs 2064/tcp open dnet-keyproxy 2067/tcp open dlswpn 2105/tcp open eklogin 2106/tcp open ekshell 2108/tcp open rkinit 2112/tcp open kip 4008/tcp open netcheque 4045/tcp open lockd 4133/tcp open nuts_bootp 6001/tcp open X11:1 6003/tcp open X11:3 6005/tcp open X11:5 6007/tcp open X11:7 6008/tcp open X11:8 6009/tcp open X11:9 6101/tcp open VeritasBackupExec 6103/tcp open RETS-or-BackupExec 6105/tcp open isdninfo 6106/tcp open isdninfo 6110/tcp open softcm 6112/tcp open dtspc 6142/tcp open aspentec-lm 6143/tcp open watershed-lm 6145/tcp open statsci2-lm 6146/tcp open lonewolf-lm 6147/tcp open montage-lm 6148/tcp open ricardo-lm 9090/tcp open zeus-admin 9100/tcp open jetdirect 9152/tcp open ms-sql2000 -- Robert Blayzor, BOFH INOC, LLC rblayzor@inoc.net PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 Years of development: We finally got one to work.