lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 1 Feb 2007 22:44:01 +0000
From: Neil Anderson <cleidh_mor@...penworld.com>
To: bugtraq@...urityfocus.com
Subject: Re: strange behavior on Cisco 2801

Hi Marcin,

I would put an access-class on your vty lines to allow ssh only from trusted 
hosts.  Either that or put an access-list on your outside interface.

Oh, and look up the abuse contact for that domain and report them.  It's 
probably someone trying a brute force on your ssh server.

HTH

Cheers,
Neil

On Thursday 01 February 2007 19:46, Marcin wrote:
> Hi!
>
> im running Cisco IOS software on 2801 router (C2801-ADVIPSERVICESK9-M),
> Version 12.4(3e), RELEASE SOFTWARE (fc2). I have few problems and i have
> seen strange behavior: after few hours there was no responding from router,
> no nat etc. After restart everything was ok for 10-12 hours.
>
> I have ONLY one user name to permit logon via ssh to router: marcin and
> not dictionary password (14 symbols)
>
> I logon 2 hours ago and i use command "who". I was very surprised, because
> i saw something in 1 minute 2 different usernames and NO USERNAME on vty
> 194.
>
> i looks like that:
>
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194                 idle                 00:00:01 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
>   Interface    User               Mode         Idle     Peer Address
>
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194      aivankovic idle                 00:00:04 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
>   Interface    User               Mode         Idle     Peer Address
>
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194                 idle                 00:00:01 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
>   Interface    User               Mode         Idle     Peer Address
>
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194      aivankovic idle                 00:00:04 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194                 idle                     00:00:01
> nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
>
> router#sh users
>     Line       User       Host(s)              Idle       Location
>   vty 194      akrizan    idle                 00:00:40 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00
> 210-az4-2.acn.waw.pl
>
> What is going on? have you heard about similar incident?
>
> Best regards
>
> Marcin

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ