Re: Cisco Routers Vulnerability

[Doug McIntyre <merlyn () geeks org>]

On Mon, Apr 13, 2015 at 05:03:02PM -0600, Keith Medcalf wrote:
> > > It's reported by different customers in different locations so I don't
> > > think it's password compromised
>
> > Have you checked?  If the routers had vty access open (ssh or telnet) and
> > the passwords were easy to guess, then it's more likely that this was a
> > password compromise.  You can test this out by getting a copy of one of
> > the configs and decrypting the access password.  Or by asking your customers
> > whether their passwords were dictionary or simple words.
>
> or if mayhaps the passwords were listed on the list of passwords discussed a few days ago:
...

for some reason this brings up following memory of long ago.

Had several people notify us in a short period that they all had been
watching hackers try the "default cisco password" on several of our
downstream customer's gear. Perked my interest when it got to me, umm,
what default cisco password?

Oh, the hackers were so successful getting in to tons of places that
the researchers were watching the hackers connect to everywhere in
addition to my downstreams with cisco/cisco that they had assumed it
was the default..

(of course, this was long before Cisco shipped some piece of gear that
actually did have default passwords (don't remember what any longer
first started that)).