Error : uncompressed image checksum is incorrect ??

[intelwizrd]

I recently had a router go down at a remote location. I thought it was a problem with the T1 link between us but it turned out that the line was fine. I drove out to where the router was and connected to it via the console cable and when I connected it was sitting at the "rommon 1 >" prompt. I told it to boot and got the following message:

program load complete, entry point: 0x80008000, size: 0x4c195c

Self decompressing the image : #################################################
################################################################################
################################################################################
################################################################################
################################################################################
####################################
[OK]

Error : uncompressed image checksum is incorrect 0x50314F59
Expected a checksum of 0xD47423CC

*** System received a Software forced crash ***
signal= 0x17, code= 0x9, context= 0x0
PC = 0x800080d4, Cause = 0x20, Status Reg = 0x3041f003

rommon 2 >

anyone have any idea why the router would be fine for the past 2 weeks and then all of the sudden reboot or glitch out in a way that it would reboot itself?

I am fairly certain that the passwords have not been comprimized but am going to change them just incase.

 

[pmesjar]

Only thing I can think of is maybe the flash memory got corrupted or somebody downloaded corrupted IOS to your router.

Just a thought - with the passwords, how do you store them? Are you using MD5 or Cisco encryption to encrypt your enable secret password? You can tell by looking for number in output of "sh run" on the line saying "enable secret". If it says 7, you are using weak Cisco encryption, if it says 5 you are using MD5.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[intelwizrd]

The enable secret is an md5 hash. I don't use the cisco encryption because it can be reversed.

The strange part about this is that it will run fine for weeks or months at a time and then just die, usualy at 2am or something. As soon as the power is cycled, it will come back up on its own. I am tempted to reload the IOS but I dont know if the image i have is corrupted as well. Does anyone know of someone writing a "virus" for a cisco IOS?

and on another point, is there a way to use the hash to gain access to the router? In other words, say someone connects to it, reboots it and bypasses the config, then copies the startup to their computer, can they use that info to get into the router later? My instinct says no, but I would rather be safe than sorry.

Thanks for your help.

 

[pmesjar]

So far I do not know of any "Cisco virus" and MD5 hashes cannot be reversed. Also in order to reload the router and bypass password, you need to get physical access to device (perform password recovery procedure) or be in enable privileged mode (to be able to issue reload command).

I would still suggest you get newer version of IOS, that may have this bug patched (if it is a bug).

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.