Skip to main content

who is user "Config" and what happened here?

More
14 years 3 months ago #35295 by randallr
While I was away on Friday afternoon the following seems to have happened on my Cicso ASA. (and the log files from August 11th to just before the first log entry date are missing too)

5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'prompt hostname context' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'webvpn' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'ntp server 70.91.204.17 source outside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'ntp server 198.186.191.229 source outside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'ntp server 72.14.177.132 source outside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'ntp server 205.209.166.11 source outside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'ntp authenticate' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'threat-detection statistics access-list' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'threat-detection statistics protocol' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'threat-detection statistics port' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'threat-detection basic-threat' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'dhcp-client client-id interface outside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'console timeout 0' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'snmp-server enable traps snmp authentication linkup linkdown coldstart' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'no snmp-server contact' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'no snmp-server location' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'http 192.168.2.0 inside' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'http server enable' command.
5|Aug 13 2010|14:04:06|111008|||||User 'Config' executed the 'dynamic-access-policy-record DfltAccessPolicy' command.

Questions:
1. Who is user "Config" ?? I don't see this user in any user list
2. What was going on? Is the script setting up a webvpn remote access point?
3. Why are the log file entries missing? A reboot?

As you can imagine, I would like to know what happened here, can any one help explain what's going on?
More
14 years 3 months ago #35297 by Arani
Replied by Arani on topic Unknown user
Hi mate,

Looks like there was an user 'Config' with priv level 15 who came in and worked on your ASA. Time to start asking questions around your peer group.

Check all other user group which has priv lvl set to 15. Maybe, some user came in, created this user 'Config' on the fly and did whatever that user did. And then it deleted that user 'Config' and removed log files as well while being at it.

Would be a good idea to lower all other user levels to 7 atleast for the moment, till your figure out who it was. And yes remember to keep atleast one admin level user so that in the future atleast you can log into global config mode.

See how it goes, and keep us posted.
Cheers

Picking pebbles on the shore of the networking ocean
More
14 years 3 months ago #35300 by randallr
Replied by randallr on topic thanks
Thanks for confirmation.
Time to create page: 0.144 seconds