Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: who is user "Config" and what happened here?

who is user "Config" and what happened here? 6 years 1 month ago #35295

  • randallr
  • randallr's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
While I was away on Friday afternoon the following seems to have happened on my Cicso ASA. (and the log files from August 11th to just before the first log entry date are missing too)

5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'prompt hostname context' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'webvpn' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'ntp server 70.91.204.17 source outside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'ntp server 198.186.191.229 source outside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'ntp server 72.14.177.132 source outside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'ntp server 205.209.166.11 source outside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'ntp authenticate' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'threat-detection statistics access-list' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'threat-detection statistics protocol' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'threat-detection statistics port' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'threat-detection basic-threat' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'dhcp-client client-id interface outside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'console timeout 0' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'snmp-server enable traps snmp authentication linkup linkdown coldstart' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'no snmp-server contact' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'no snmp-server location' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'http 192.168.2.0 inside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'http server enable' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'dynamic-access-policy-record DfltAccessPolicy' command.

Questions:
1. Who is user "Config" ?? I don't see this user in any user list
2. What was going on? Is the script setting up a webvpn remote access point?
3. Why are the log file entries missing? A reboot?

As you can imagine, I would like to know what happened here, can any one help explain what's going on?
The administrator has disabled public write access.

Unknown user 6 years 1 month ago #35297

  • Arani
  • Arani's Avatar
  • Offline
  • Moderator
  • Posts: 745
  • Thank you received: 10
  • Karma: 4
Hi mate,

Looks like there was an user 'Config' with priv level 15 who came in and worked on your ASA. Time to start asking questions around your peer group.

Check all other user group which has priv lvl set to 15. Maybe, some user came in, created this user 'Config' on the fly and did whatever that user did. And then it deleted that user 'Config' and removed log files as well while being at it.

Would be a good idea to lower all other user levels to 7 atleast for the moment, till your figure out who it was. And yes remember to keep atleast one admin level user so that in the future atleast you can log into global config mode.

See how it goes, and keep us posted.
Cheers
Picking pebbles on the shore of the networking ocean
The administrator has disabled public write access.

thanks 6 years 1 month ago #35300

  • randallr
  • randallr's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Thanks for confirmation.
The administrator has disabled public write access.
Time to create page: 0.074 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup