Bugtraq: Re: strange behavior on Cisco 2801

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: strange behavior on Cisco 2801

From: Neil Anderson <cleidh_mor () btopenworld com>
Date: Thu, 1 Feb 2007 22:44:01 +0000

Hi Marcin,

I would put an access-class on your vty lines to allow ssh only from trusted 
hosts.  Either that or put an access-list on your outside interface.

Oh, and look up the abuse contact for that domain and report them.  It's 
probably someone trying a brute force on your ssh server.

HTH

Cheers,
Neil

On Thursday 01 February 2007 19:46, Marcin wrote:

Hi!

im running Cisco IOS software on 2801 router (C2801-ADVIPSERVICESK9-M),
Version 12.4(3e), RELEASE SOFTWARE (fc2). I have few problems and i have
seen strange behavior: after few hours there was no responding from router,
no nat etc. After restart everything was ok for 10-12 hours.

I have ONLY one user name to permit logon via ssh to router: marcin and
not dictionary password (14 symbols)

I logon 2 hours ago and i use command "who". I was very surprised, because
i saw something in 1 minute 2 different usernames and NO USERNAME on vty
194.

i looks like that:

router#who
    Line       User       Host(s)              Idle       Location
  vty 194                 idle                 00:00:01 nt.math.nknu.edu.tw
* vty 195      marcin     idle                 00:00:00
210-az4-2.acn.waw.pl

  Interface    User               Mode         Idle     Peer Address

router#who
    Line       User       Host(s)              Idle       Location
  vty 194      aivankovic idle                 00:00:04 nt.math.nknu.edu.tw
* vty 195      marcin     idle                 00:00:00
210-az4-2.acn.waw.pl

  Interface    User               Mode         Idle     Peer Address

router#who
    Line       User       Host(s)              Idle       Location
  vty 194                 idle                 00:00:01 nt.math.nknu.edu.tw
* vty 195      marcin     idle                 00:00:00
210-az4-2.acn.waw.pl

  Interface    User               Mode         Idle     Peer Address

router#who
    Line       User       Host(s)              Idle       Location
  vty 194      aivankovic idle                 00:00:04 nt.math.nknu.edu.tw
* vty 195      marcin     idle                 00:00:00
210-az4-2.acn.waw.pl

router#who
    Line       User       Host(s)              Idle       Location
  vty 194                 idle                     00:00:01
nt.math.nknu.edu.tw
* vty 195      marcin     idle                 00:00:00
210-az4-2.acn.waw.pl


router#sh users
    Line       User       Host(s)              Idle       Location
  vty 194      akrizan    idle                 00:00:40 nt.math.nknu.edu.tw
* vty 195      marcin     idle                 00:00:00
210-az4-2.acn.waw.pl

What is going on? have you heard about similar incident?

Best regards

Marcin

Attachment: _bin
Description:

By Date By Thread

Current thread:

strange behavior on Cisco 2801 Marcin (Feb 01)
- Re: strange behavior on Cisco 2801 Neil Anderson (Feb 01)
  - Sourceforge compromized? Michael Scheidell (Feb 02)
    - Re: Sourceforge compromized? Eliah Kagan (Feb 02)
    - Re: Sourceforge compromized? Serguei A. Mokhov (Feb 02)
    - Re: Sourceforge compromized? Tim (Feb 02)
    - Re: Sourceforge compromized? Karl Schlitt (Feb 02)