Bugtraq mailing list archives

Re: strange behavior on Cisco 2801

From: Eloy Paris <elparis () cisco com>
Date: Fri, 2 Feb 2007 13:41:00 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Marcin,

Eloy Paris from Cisco's Product Security Incident Response Team (PSIRT)
here. See below (inline) for a couple of comments...

On Thu, Feb 01, 2007 at 08:46:33PM +0100, Marcin wrote:

im running Cisco IOS software on 2801 router (C2801-ADVIPSERVICESK9-M), 
Version 12.4(3e), RELEASE SOFTWARE (fc2). I have few problems and i have
seen strange behavior: after few hours there was no responding from router,
no nat etc. After restart everything was ok for 10-12 hours.
 
I have ONLY one user name to permit logon via ssh to router: marcin and
not dictionary password (14 symbols)
 
I logon 2 hours ago and i use command "who". I was very surprised, because
i saw something in 1 minute 2 different usernames and NO USERNAME on vty
194.
 
i looks like that:
 
router#who                  
    Line       User       Host(s)              Idle       Location
  vty 194                 idle                 00:00:01 nt.math.nknu.edu.tw
* vty 195      marcin     idle                 00:00:00 210-az4-2.acn.waw.pl
 
  Interface    User               Mode         Idle     Peer Address
 
router#who
    Line       User       Host(s)              Idle       Location
  vty 194      aivankovic idle                 00:00:04 nt.math.nknu.edu.tw
* vty 195      marcin     idle                 00:00:00 210-az4-2.acn.waw.pl
 
  Interface    User               Mode         Idle     Peer Address


[...]

What is going on? have you heard about similar incident?


As Neil Anderson mentioned in his reply to your message earlier,
you are probably seeing a brute force SSH scan from the host
nt.math.nknu.edu.tw, which is probably compromised.

If you have set up your users with strong passwords you should be
fine, although as Neil also mentioned, it would be a good idea to add
an access-class to the VTYs so only connections from authorized IP
addresses and/or networks are accepted.

The behavior you are seeing is normal - during the SSH authentication
phase you will see the user trying to log in in the output from the
"show users" command, or you may only see a machine name with no
username associated with it. This user is not really logged in (it is
just in the authentication phase) and it will go away as soon as the TCP
session is torn down.

Hope this helps.

Cheers,

- -- 

Eloy Paris
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
Ph: +1 919 392-9118
Cell: +1 919 349-2990
Pager: (888) 347-7178

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFw4W8agjTfAtNY9gRAoN9AKCBnHPWyd+REs136L0x1+Y7KJI8IgCfVgsu
x8NoO6QCh5sgofOIl2xkY+s=
=cPnl
-----END PGP SIGNATURE-----

Current thread:

strange behavior on Cisco 2801 Marcin (Feb 01)
- Re: strange behavior on Cisco 2801 Neil Anderson (Feb 01)
  - Sourceforge compromized? Michael Scheidell (Feb 02)
    - Re: Sourceforge compromized? Eliah Kagan (Feb 02)
    - Re: Sourceforge compromized? Serguei A. Mokhov (Feb 02)
    - Re: Sourceforge compromized? Tim (Feb 02)
    - Re: Sourceforge compromized? Karl Schlitt (Feb 02)
- Re: strange behavior on Cisco 2801 Eloy Paris (Feb 02)