lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 2 Feb 2007 13:41:00 -0500
From: Eloy Paris <elparis@...co.com>
To: Marcin <sec@...lag.pl>
Cc: bugtraq@...urityfocus.com, psirt@...co.com
Subject: Re: strange behavior on Cisco 2801

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Marcin,

Eloy Paris from Cisco's Product Security Incident Response Team (PSIRT)
here. See below (inline) for a couple of comments...

On Thu, Feb 01, 2007 at 08:46:33PM +0100, Marcin wrote:

> im running Cisco IOS software on 2801 router (C2801-ADVIPSERVICESK9-M), 
> Version 12.4(3e), RELEASE SOFTWARE (fc2). I have few problems and i have
> seen strange behavior: after few hours there was no responding from router,
> no nat etc. After restart everything was ok for 10-12 hours.
>  
> I have ONLY one user name to permit logon via ssh to router: marcin and
> not dictionary password (14 symbols)
>  
> I logon 2 hours ago and i use command "who". I was very surprised, because
> i saw something in 1 minute 2 different usernames and NO USERNAME on vty
> 194.
>  
> i looks like that:
>  
> router#who                  
>     Line       User       Host(s)              Idle       Location
>   vty 194                 idle                 00:00:01 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00 210-az4-2.acn.waw.pl
>  
>   Interface    User               Mode         Idle     Peer Address
>  
> router#who
>     Line       User       Host(s)              Idle       Location
>   vty 194      aivankovic idle                 00:00:04 nt.math.nknu.edu.tw
> * vty 195      marcin     idle                 00:00:00 210-az4-2.acn.waw.pl
>  
>   Interface    User               Mode         Idle     Peer Address

[...]

> What is going on? have you heard about similar incident? 

As Neil Anderson mentioned in his reply to your message earlier,
you are probably seeing a brute force SSH scan from the host
nt.math.nknu.edu.tw, which is probably compromised.

If you have set up your users with strong passwords you should be
fine, although as Neil also mentioned, it would be a good idea to add
an access-class to the VTYs so only connections from authorized IP
addresses and/or networks are accepted.

The behavior you are seeing is normal - during the SSH authentication
phase you will see the user trying to log in in the output from the
"show users" command, or you may only see a machine name with no
username associated with it. This user is not really logged in (it is
just in the authentication phase) and it will go away as soon as the TCP
session is torn down.

Hope this helps.

Cheers,

- -- 

Eloy Paris
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
Ph: +1 919 392-9118
Cell: +1 919 349-2990
Pager: (888) 347-7178

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFw4W8agjTfAtNY9gRAoN9AKCBnHPWyd+REs136L0x1+Y7KJI8IgCfVgsu
x8NoO6QCh5sgofOIl2xkY+s=
=cPnl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ