Option 2: Reconfigure without Erasing CBOS
(Back to Cisco675fix.html)
Disclaimer
I am a private user of the Cisco Router and the Qwest DSL & ISP service. I am not affiliated in any way with Qwest or Cisco. I am providing this How-To page as a service to other Cisco 675 owners who are down to their last chance to save their routers.
Don't think this Fix can help you? Don't be so sure! Click here for FAQs!
What follows is the entire step-by-step guide to Option 2: Redo your running configuration
(Email me with questions at: cisco_fix@herbighouse.com )
Stuff you type is in purple
Stuff the Cisco tells you is in brown
Stuff you do is in green
START
A) Connect
A.1)Make sure your Cisco Management cable is plugged in.
A.2)Get into Hyperterminal (usually under Start/Programs/Accessories/Communications), and create a new session for your router, with these settings:
Bit per second: 38400
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None
You’re probably on COM1 at this point.
B.) Erase the NVRAM
B.1) In Hyperterminal, press enter):
Then it will ask you:Password:
B.2) If you don’t have an executive password, just <press enter>. Otherwise, enter your executive password.
B.3) At the “cbos>” prompt, type
enable <press enter>
B.4) At “Password:” ,If you don't have an enable password, just <press enter>. Otherwise, enter your enable password.
B.5) At “cbos#”, type
set nvram erase <press enter>
It replies:
Erasing Running Configuration.
You must use "write" for changes
to be permanent.
B.6) At cbos#, type
write <press enter>
NVRAM written.
B.7) At cbos#, type
reboot <press enter>
Hello!
Expanding CBOS image...
(CBOS version info, etc etc)
C) Fix Settings
After the “Hello!” message, etc.,
C.1) <Press enter>
The router will ask you:
User Access
Verification
Password:
C.2)You don’t have an executive password anymore (you just erased it), so just <press enter>
C.3) At the
“cbos>” prompt, type
enable <press enter>
C.4) At “Password:” press enter.
C.5)At cbos#, type
set ppp wan0-0 ipcp 0.0.0.0 <press enter>
(reply is) PPP wan0-0 IPCP Address set to 0.0.0.0
C.6)At cbos#, type
set ppp wan0-0 dns 0.0.0.0 <press
enter>
(reply is) PPP wan0-0 DNS Server Addresses set to 0.0.0.0
C.7)At cbos#, type
set ppp wan0-0 login yourusername <press enter>
This username
MUST be the one on record with your ISP.
(reply is) User name for wan0-0 has been set to yourusername.
C.8)At cbos#, type
set ppp wan0-0 password yourpassword
<press enter>
This password
MUST be the one on record with your ISP
(reply is) Password for wan0-0 has been set to yourpassword.
C.9)At cbos#, type
set ppp restart enable <press
enter>
(reply is) CPE Remote Restart is now enabled...
C.10)At cbos#, type
set nat enable <press enter>
(reply is) NAT is now enabled
You must use
"write" then reboot for changes to take effect.
C.11)At cbos#, type
set dhcp server enable <press enter>
(reply is) DHCP Server enabled
D.) Wrapping Up….
D.1) At cbos#, type
set password exec yourexecpassword <press enter>
(This executive password can be anything you want, or you
can skip the password.)
(reply is) Exec Password Change Successful!
D.2)At cbos#, type
set password enable yourenablepassword <press enter>
(This enable password can be anything you want, or you
can skip the password.)
(reply is) Enable Password Change Successful!
(The next two steps will help
keep your router protected from remote access, so the worm won't get you
again.)
D.3) At cbos#, type
set web disable <press
enter>
(reply is) WEB is disabled
D.4) At cbos#, type set web port 8080 <press enter> (...or to some other port of your choosing not equal to 80. If you don't know what you're doing here, use 8080.)
(reply is) You must use "write" then reboot for changes to take effect.
D.5) At cbos#, type set web remote 10.10.10.10 <press enter> (reply is) Web restricted to 10.10.10.10
NOTE: Changing your "web remote" setting to 10.10.10.10 will disable your NAT (Network Address Translator) access to your router, meaning you won't be able to Telnet onto it anymore. You could use 10.0.0.1, but that will mean that only your router can telnet onto itself. You can also change to 10.0.0.2 or 10.0.0.3 etc. Check Cisco's page for full understanding of what this command does. For my needs, 10.10.10.10 does the trick, and it appears that without "set web remote (something)", you'll get reinfected. So you can either wait for a final recommendation from Cisco or Qwest, or just slap one of these settings in there and go! If you always use Hyperterminal when changing settings on your router, 10.10.10.10 will be OK.
D.6) At cbos#, type write<press
enter> (reply is) NVRAM written. D.7)At cbos#, type reboot<press
enter> (reply is)
Hello! Expanding CBOS image... Etc etc. Now You’re done!! You can exit
Hyperterminal. You might have to reboot the
whole PC to get Windows to see that you have the network back. Here's
where Cisco explains that the Cisco 675 has a security flaw that makes it
vulnerable to this type of attack: The following websites were invaluable in collecting this set of
instructions: http://www.8wire.com,
for providing the first thorough and accurate news article I've seen about the Code Red Worm. Bradley J. Rutten, MCSE, CNA, CCA, CSA, of SE Service and Consulting, A couple of nice people in Colorado, who know who they are :) And,
finally, thanks to my Recycle Bin, for hanging onto the copy I made of an old
hyperterminal session in which I had to reconfigure the NVRAM.
If you have a Cisco 675 or a Cisco 678 for CAP, skip these lines and continue with the next step
If you've got a Cisco 678 running on DMT lines, you'll also need to add:
set interface wan0-0 disable
set interface wan0-0 vpi 0
set interface wan0-0 vci 32
set interface wan0-0 enable
End of CISCO 678 DMT ONLY Info
http://www.cisco.com/warp/public/707/CBOS-multiple2-pub.html
And specifically about the Code Red:
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
Acknowledgements
for providing the suggestion to "set web port nnnn" .
for providing the suggestion to "set web remote 10.10.10.10" .