[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 Feb 2007 22:44:01 +0000
From: Neil Anderson <cleidh_mor@...penworld.com>
To: bugtraq@...urityfocus.com
Subject: Re: strange behavior on Cisco 2801
Hi Marcin,
I would put an access-class on your vty lines to allow ssh only from trusted
hosts. Either that or put an access-list on your outside interface.
Oh, and look up the abuse contact for that domain and report them. It's
probably someone trying a brute force on your ssh server.
HTH
Cheers,
Neil
On Thursday 01 February 2007 19:46, Marcin wrote:
> Hi!
>
> im running Cisco IOS software on 2801 router (C2801-ADVIPSERVICESK9-M),
> Version 12.4(3e), RELEASE SOFTWARE (fc2). I have few problems and i have
> seen strange behavior: after few hours there was no responding from router,
> no nat etc. After restart everything was ok for 10-12 hours.
>
> I have ONLY one user name to permit logon via ssh to router: marcin and
> not dictionary password (14 symbols)
>
> I logon 2 hours ago and i use command "who". I was very surprised, because
> i saw something in 1 minute 2 different usernames and NO USERNAME on vty
> 194.
>
> i looks like that:
>
> router#who
> Line User Host(s) Idle Location
> vty 194 idle 00:00:01 nt.math.nknu.edu.tw
> * vty 195 marcin idle 00:00:00
> 210-az4-2.acn.waw.pl
>
> Interface User Mode Idle Peer Address
>
> router#who
> Line User Host(s) Idle Location
> vty 194 aivankovic idle 00:00:04 nt.math.nknu.edu.tw
> * vty 195 marcin idle 00:00:00
> 210-az4-2.acn.waw.pl
>
> Interface User Mode Idle Peer Address
>
> router#who
> Line User Host(s) Idle Location
> vty 194 idle 00:00:01 nt.math.nknu.edu.tw
> * vty 195 marcin idle 00:00:00
> 210-az4-2.acn.waw.pl
>
> Interface User Mode Idle Peer Address
>
> router#who
> Line User Host(s) Idle Location
> vty 194 aivankovic idle 00:00:04 nt.math.nknu.edu.tw
> * vty 195 marcin idle 00:00:00
> 210-az4-2.acn.waw.pl
>
> router#who
> Line User Host(s) Idle Location
> vty 194 idle 00:00:01
> nt.math.nknu.edu.tw
> * vty 195 marcin idle 00:00:00
> 210-az4-2.acn.waw.pl
>
>
> router#sh users
> Line User Host(s) Idle Location
> vty 194 akrizan idle 00:00:40 nt.math.nknu.edu.tw
> * vty 195 marcin idle 00:00:00
> 210-az4-2.acn.waw.pl
>
> What is going on? have you heard about similar incident?
>
> Best regards
>
> Marcin
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists