Re: strange behavior on Cisco 2801
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Marcin,
Eloy Paris from Cisco's Product Security Incident Response Team (PSIRT)
here. See below (inline) for a couple of comments...
On Thu, Feb 01, 2007 at 08:46:33PM +0100, Marcin wrote:
> im running Cisco IOS software on 2801 router (C2801-ADVIPSERVICESK9-M),
> Version 12.4(3e), RELEASE SOFTWARE (fc2). I have few problems and i have
> seen strange behavior: after few hours there was no responding from router,
> no nat etc. After restart everything was ok for 10-12 hours.
>
> I have ONLY one user name to permit logon via ssh to router: marcin and
> not dictionary password (14 symbols)
>
> I logon 2 hours ago and i use command "who". I was very surprised, because
> i saw something in 1 minute 2 different usernames and NO USERNAME on vty
> 194.
>
> i looks like that:
>
> router#who
> Line User Host(s) Idle Location
> vty 194 idle 00:00:01 nt.math.nknu.edu.tw
> * vty 195 marcin idle 00:00:00 210-az4-2.acn.waw.pl
>
> Interface User Mode Idle Peer Address
>
> router#who
> Line User Host(s) Idle Location
> vty 194 aivankovic idle 00:00:04 nt.math.nknu.edu.tw
> * vty 195 marcin idle 00:00:00 210-az4-2.acn.waw.pl
>
> Interface User Mode Idle Peer Address
[...]
> What is going on? have you heard about similar incident?
As Neil Anderson mentioned in his reply to your message earlier,
you are probably seeing a brute force SSH scan from the host
nt.math.nknu.edu.tw, which is probably compromised.
If you have set up your users with strong passwords you should be
fine, although as Neil also mentioned, it would be a good idea to add
an access-class to the VTYs so only connections from authorized IP
addresses and/or networks are accepted.
The behavior you are seeing is normal - during the SSH authentication
phase you will see the user trying to log in in the output from the
"show users" command, or you may only see a machine name with no
username associated with it. This user is not really logged in (it is
just in the authentication phase) and it will go away as soon as the TCP
session is torn down.
Hope this helps.
Cheers,
- --
Eloy Paris
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
Ph: +1 919 392-9118
Cell: +1 919 349-2990
Pager: (888) 347-7178
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFw4W8agjTfAtNY9gRAoN9AKCBnHPWyd+REs136L0x1+Y7KJI8IgCfVgsu
x8NoO6QCh5sgofOIl2xkY+s=
=cPnl
-----END PGP SIGNATURE-----