(Click here for the Really Short Version)
This page automatically refreshes every 10 minutes, or hit your browser's reload button for the latest version
How to fix your hosed Cisco 675 Router
Especially after
attack by Red Code Worm, or if you
accidentally erased the Cisco Broadband Operating System (CBOS)
Intended for the typical residential user with dynamic IP address
Disclaimer
I am a private user of the Cisco Router and the Qwest DSL & ISP service. I am not affiliated in any way with Qwest or Cisco. I am providing this How-To page as a service to other Cisco 675 owners who are down to their last chance to save their routers.
Do you need to do this to your Router?
If your Cisco 675/678 router has been infected by the Code Red Worm, or you want to prevent infection, or you just need to do some resetting on your router,
here are your options:
Option 1) Reboot your router--Power off your Cisco for a minute and power it back on, then reboot your PC. This MIGHT solve the short-term problem, but leaves you vulnerable to future Worm/Virus attacks.
Option 2) Reconfigure your router--Erase and reset your running configuration, including a few security settings that will help protect your router in the future. This will not affect your CBOS.
Option 3) Erase CBOS and reinstall new CBOS on your router--Follow the entire procedure (rest of this page) to the letter. This will wipe your router clean and start you fresh with the latest version of CBOS, and a new running configuration, including a few security settings that will help protect your router in the future. This can be performed even on some routers whose Worm infection prevents CBOS from functioning correctly over hyperterminal.
Option 4) Incinerate your router--Has obvious drawbacks, but unfortunately, users who are unaware of Option 3 often skip straight from Option 2 to Option 4.
First, try Option 1. Option 2 is recommended in order to implement the security measures (click for Option 2 How-To page). If that still doesn't work, or if your router won't even let you try it, and your DSL service people can't help either, follow these directions for Option 3 carefully, and:
ATTEMPT THE CBOS ERASE (option 3) ONLY AS A LAST-DITCH ALTERNATIVE TO INCINERATING YOUR CISCO ROUTER.
(Ok, that is maybe a bit extreme, but you should realize that if you do the CBOS erase/reinstall incorrectly, you could permanently mess up your router.)
If your router is so corrupted that you can't just do a reconfiguration, or if you want to upgrade your CBOS anyway, then read on. It worked great for me!
(Don't think this Fix can help you? Don't be so sure! Click here for FAQs!)
(Email me with questions at: cisco_fix@herbighouse.com ) This document is about 4-5 printed pages long if you need
to print it out. Are you ready for it?! Then, proceed with caution! Many people with Code Red infections on their Cisco 67x routers are able to fix them with a reboot, and then a reconfiguration of the NVRAM including some virus-fighting patches. But some routers are so severely damaged that they cannot even be configured properly over the Management cable--they just come up in "Debug" mode and display error messages.
In these cases, some DSL providers are advising customers with severely infected Cisco 675 routers to throw them away and buy new ones, all because the infected routers will not respond to simple treatment like rebooting or reconfiguring. This is a bit like giving up all hope just because a couple of aspirin will not cure a brain tumor. However, for the Cisco router, an alternative treatment exists: erase the router's entire corrupt CBOS (Cisco Broadband Operating
System), and replace it with a more robust version of CBOS. Like a brain surgery, this treatment for rescuing a Cisco 675 router wth Code Red infection carries some risk, but it is an appealing alternative to giving up and throwing out the router, particularly because the odds of successful "recovery" are excellent if the instructions are followed precisely. It worked for me! Stuff you type is in purple Stuff the Cisco tells you is in brown Stuff you do is in green Note: I've heard through emails from various Cisco users that some of the versions of 675 CBOS that Qwest has provided in the past WILL NOT WORK. The copy of 675 CBOS that I have here was downloaded from QWEST on Aug 3, 2001. Presumeably Qwest has updated the version they have online numerous times, but since several people have told me that they can't get their router to work unless they use the copy they got from me, I strongly advise you to consider downloading the copy from my site. I've been using this same copy since Aug 3, 2001, and I haven't had to do ANY further maintainance on my Cisco since then.
A.1)Download CBOS from my site: CBOS 2.4.1, and execute it (it's a self extracting ZIP archive, so youdon't need WINZIP). OR Go to http://www.qwest.com/dsl/customerservice/csco675ups.html and follow
Qwest's Download instructions (Basically, download it and
unzip it (it's self extracting).
A.2) Then save
it to someplace where you can find it again. It should be called
"nsrouter.c675.2.4.1.bin" or "nsrouter.c675.2.4.1.ima" when
you're done), but DON’T proceed to Qwest’s
“Process 2 - Downloading Commander v1.4.004". You could put the CBOS file (nsrouter.c675.2.4.1.bin) on a
floppy if you have to download it from a different computer. It’s 910KB.
What follows is the entire step-by-step guide to Option 3: Erase and Reinstall CBOS (plus How to Set Running Configuration)
(Yes, Option 3 works even if your router won't function properly in hyperterminal, and even if you lost your Exec/Enable passwords. No, Option 3 is not necessary if you are able to complete Option 2. Option 3 is just here for people who are trying to avoid Option 4. Options defined above.)
START
A) Download a new CBOS image
If you are performing this on a Cisco 678, first determine whether your DSL lines use Carrierless Amplitude Modulation
(CAP), or Discrete Multitone Technology (DMT). Your ISP should know. All Cisco 675s are for CAP, but Cisco 678 can be CAP or DMT depending on which CBOS is installed. But you do have to use the version that matches your DSL lines, or it won't work.
If you need Cisco 678 CAP CBOS, click here to get CAP CBOS for Cisco 678 from Qwest, or here to get it from my site.
If you need Cisco 678 DMT CBOS, click here to get DMT CBOS for Cisco 678 from Qwest, or here to get it from my site.
For Qwest downloads, scroll down the page until you find the link to download CBOS, download it, and leave Qwest's page.
End of CISCO 678 ONLY Info
NOTE: Even if your router won't give you a proper CBOS prompt when you connect to it over Hyperterminal, or it gives error messages, don't give up hope on this procedure. You might still be able to get the router into Debug mode, and that's all you need to be able to erase your corrupt CBOS and start fresh. That is exactly the problem I had with my router, and now, one complete "Option 3" treatment later, my router's been up since Aug 4, 2001!
A.3)Make sure your Cisco Management cable is plugged in.
A.4)Get into Hyperterminal (usually under Start/Programs/Accessories/Communications), and create a new session for your router, with these settings (the settings ARE important):
Bit per second: 38400
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None
You’re probably on COM1 at this point.
B) Get into Debug Mode (RMON)
B.1) Now Get into “debug” mode in your router. (That’s the mode where the “=>” prompt shows up in the Hyperterminal window. Also called RMON).
Do this by unplugging the router’s power for several seconds. Then plug it in, and when the “alarm” light on the router comes on, quickly hit “CTRL-C” at the same time.
In my own case, the router was so hosed that it automatically opened up looking like it was already in Debug mode, but I think it helped to go thru the power-cycle-and-hit-CTRL-C thing anyway, to get it truly into Debug mode.
You might have to hit enter a few times to make the “=>” show up.
If you didn’t get into debug mode, unplug the router and try again.
B.2) Once in Debug, kill the corrupt operating system like this:
At the “ =>” prompt, type es 0 <press enter>
(reply is “Erasing sector 00000000. Sector erased”)
At the “ =>” prompt, type es 1 <press enter>
(reply is “Erasing sector 00000001. Sector erased”)
At the “ =>” prompt, type es 2 <press enter>
(reply is “Erasing sector 00000002. Sector erased”)
At the “ =>” prompt, type es 3 <press enter>
(reply is “Erasing sector 00000003. Sector erased”)
At the “ =>” prompt, type es 4 <press enter>
(reply is “Erasing sector 00000004. Sector erased”)
At the “ =>” prompt, type es 5 <press enter>
(reply is “Erasing sector 00000005. Sector erased”)
At the “ =>” prompt, type es 6 <press enter>
(reply is “Erasing sector 00000006. Sector erased”)
C)Store new CBOS to Router
C.1) To move the downloaded CBOS file (nsrouter.c675.2.4.1.bin) to storage on the router, enter the following at the "=>" prompt:
df 10008000
(Leave a space between 'df' and the numeric string) <Press "Enter">
C.2) HyperTerminal will return a "Downloading.. " message and a series of "C"s will begin appearing.
C.3) Nothing will happen if you don’t tell the PC to send the file to the router, so as soon as you see the “CCCCCCCCCCCCC…” just pick the “Transfer” menu on the Hyperterminal window.
C.4) Select Send File. An additional Window pops up.
C.5) Select Browse and browse to the nsrouter.c675.2.4.1.bin file that you downloaded from Qwest.
C.6) IMPORTANT!!! In the Send File Window, “Protocol” field, choose Xmodem (not kermit, zmodem, etc) and click the Send button.
WAIT, and DO NOT INTERRUPT while this file is uploading to the Router.
Once the transfer is completed, the terminal session will report the downloaded file size.
C.7)Write down this file size (usually 000f2000)
D) Program the new CBOS
D.1)Program the Cisco 675 with the new CBOS image by entering the following command at the "=>" prompt:
pb 10008000 fee00000 xxxxxxxx <press enter>where "xxxxxxxx" is the size of the file you recorded in step C.7.
(Example.:
=>pb 10008000 fee00000 000f2000)
The Hyperterminal screen will show:
Programming flash address 00000000 from
l0008000…
Flash
programmed_
D.2)After the
programming is complete and you get a "=>" prompt, type
rb (or go ) and
press enter.
(Some people report better results here if they actually power cycle the router instead of typing "rb", but others can only get it to work with "rb" and no power cycling. I dunno. I power cycled when I did mine.)
You’re done with the CBOS install !!!!!!!!!
E.) Erase the NVRAM
Now you have to put the router settings in the way you want them, so you’ll still be using
hyperterminal. This time, when the router is plugged in, it should say (when you press enter):
Hello!
Expanding
CBOS image...
(CBOS version info, etc etc)
E.1) <Press enter>
Then it will ask you:
User Access Verification
Password:
E.2)You don’t have a password yet (since you just cleared out your router), so just <press enter>
E.3) At the “cbos>” prompt, type
enable <press enter>
E.4) At “Password:” press enter.
E.5) At “cbos#”, type
set nvram erase <press enter>
It replies:
Erasing Running Configuration.
You must use "write" for changes
to be permanent.
E.6) At cbos#, type
write <press enter>
NVRAM written.
E.7) At cbos#, type
reboot <press enter>
Hello!
Expanding CBOS image...
(CBOS version info, etc etc)
F) Fix Settings
After the “Hello!” message, etc.,
F.1) <Press enter>
The router will ask you:
User Access
Verification
Password:
F.2)You still don’t have a password yet, so just <press enter>
F.3) At the
“cbos>” prompt, type
enable <press enter>
F.4) At “Password:” press enter.
F.5)At cbos#, type
set ppp wan0-0 ipcp 0.0.0.0 <press enter>
(reply is) PPP wan0-0 IPCP Address set to 0.0.0.0
F.6)At cbos#, type
set ppp wan0-0 dns 0.0.0.0 <press
enter>
(reply is) PPP wan0-0 DNS Server Addresses set to 0.0.0.0
F.7)At cbos#, type
set ppp wan0-0 login yourusername <press enter>
This username
MUST be the one on record with your ISP.
(reply is) User name for wan0-0 has been set to yourusername.
F.8)At cbos#, type
set ppp wan0-0 password yourpassword
<press enter>
This password
MUST be the one on record with your ISP
(reply is) Password for wan0-0 has been set to yourpassword.
F.9)At cbos#, type
set ppp restart enable <press
enter>
(reply is) CPE Remote Restart is now enabled...
F.10)At cbos#, type
set nat enable <press enter>
(reply is) NAT is now enabled
You must use
"write" then reboot for changes to take effect.
F.11)At cbos#, type
set dhcp server enable <press enter>
(reply is) DHCP Server enabled
G.) Wrapping Up….
G.1) At cbos#, type
set password exec yourexecpassword <press enter>
(This executive password can be anything you want, or you
can skip the password.)
(reply is) Exec Password Change Successful!
G.2)At cbos#, type
set password enable yourenablepassword <press enter>
(This enable password can be anything you want, or you
can skip the password.)
(reply is) Enable Password Change Successful!
(The next two steps will help
keep your router protected from remote access, so the worm won't get you
again.)
G.3) At cbos#, type
set web disable <press
enter>
(reply is) WEB is disabled
G.4) At cbos#, type set web port 8080 <press enter> (...or to some other port of your choosing greater than 1024 and not equal to 80. If you don't know what you're doing here, use 8080.)
(reply is) You must use "write" then reboot for changes to take effect.
G.5) At cbos#, type set web remote 10.10.10.10 (or 10.0.0.2, or 10.0.0.1...see below)<press enter> (reply is) web will now restrict to 10.10.10.10
NOTE: Changing your "web remote" setting to 10.10.10.10 will disable your NAT (Network Address Translator) access to your router, meaning you won't be able to Telnet onto it anymore. You could use 10.0.0.1, but that will mean that only your router can telnet onto itself. You can also change to 10.0.0.2 or 10.0.0.3 etc. Check Cisco's page for full understanding of what this command does. For my needs, 10.10.10.10 does the trick, and it appears that without "set web remote (something)", you'll get reinfected. So you can either wait for a final recommendation from Cisco or Qwest, or just slap one of these settings in there and go! If you always use your serial management cable (instead of your ethernet cable) when changing settings on your router, 10.10.10.10 will be OK. If you have no idea what I'm talking about, use 10.10.10.10--you won't miss the Telnet.
write<press
enter>
If you have a Cisco 675 or a Cisco 678 for CAP, skip these lines and continue with the next step
If you've got a Cisco 678 running on DMT lines, you'll also need to add:
set interface wan0-0 disable
set interface wan0-0 vpi 0
set interface wan0-0 vci 32
set interface wan0-0 enable
End of CISCO 678 DMT ONLY Info
G.7)At cbos#, type
reboot<press enter>
(reply is)
Hello! Expanding CBOS image... Etc etc.
Now You’re done!! You can exit Hyperterminal. You might have to reboot the whole PC to get Windows to see that you have the network back.
Here's
where Cisco explains that the Cisco 675 has a security flaw that makes it
vulnerable to this type of attack:
http://www.cisco.com/warp/public/707/CBOS-multiple2-pub.html
And specifically about the Code Red:
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
Acknowledgements
The following websites were invaluable in collecting this set of instructions:
Qwest DSL Customer Support, for providing a copy of the new CBOS image file (Cisco lets only its direct customers download from cisco.com), and also for showing the “Web disable” command.
http://www.help-connect.com/debugflash.htm, for providing directions for rewriting the CBOS image to the router in Hyperterminal.
http://www.8wire.com, for providing the first thorough and accurate news article I've seen about the Code Red Worm.
www.cisco.com, for providing general confirmation of how the Code Red messes with the Routers, and what CBOS is.
Thanks also to:
Bradley J. Rutten, MCSE, CNA, CCA, CSA, of SE Service and Consulting,
for providing the suggestion to "set web port nnnn" .
A couple of nice people in Colorado, who know who they are :)
for providing the suggestion to "set web remote 10.10.10.10" .
"Mike" at Qwest DSL customer support, for going above and beyond the call of duty.
And,
finally, thanks to my Recycle Bin, for hanging onto the copy I made of an old
hyperterminal session in which I had to reconfigure the NVRAM.