Cisco Router hacked?

Hey, I was very shock when I logged to my router Cisco 3925. I was trying to find out solution because of my Internet did not work. All users cannot have any access to Internet. Ya, troubleshoot!

Myrouter001#sh user

Line                User       Host(s)              Idle       Location

*644 vty 0     myuser  idle                 00:00:00 x.x.x.x

646 vty 1       root         idle                 00:00:00 203.195.99.146

Interface    User               Mode         Idle     Peer Address

Look at my online user who logged to my router. There are two users! “myuser” and “root”. Then I check again to check and there is user <blank>. Before, I saw that he is root! Now, user is <blank> but he still online

Myrouter001#sh user
Line             User       Host(s)              Idle       Location
*644 vty 0     myuser    idle                 00:00:00 x.x.x.x
646 vty 2                        idle                 00:00:00 203.195.99.146

who you are, man? please don’t make any trouble to my router.

I tried to find out who and where the user came from. By asking google and APNIC. I found that this IP is belong to Thailand.

% [whois.apnic.net node-3]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:        203.195.96.0 – 203.195.111.255
netname:        COMNET-TH
descr:          KSC Commercial Internet Co. Ltd.
descr:          2/4 Samaggi Insurance Tower 10th Fl.,
descr:          Viphavadee-Rangsit RD
descr:          Thungsonghong, Laksi
descr:          Bangkok 10210
country:        TH
admin-c:        TOC1-AP
tech-c:         TOC1-AP
remarks:        ————————————————-
remarks:        This object can only be modified by APNIC hostmaster
remarks:        If you wish to modify this object details please
remarks:        send email to hostmaster@apnic.net with your organisation
remarks:        account name in the subject line.
remarks:        —————————————————
mnt-by:         APNIC-HM
mnt-lower:      KSC-ADMIN
mnt-routes:     KSC-ADMIN
mnt-irt:        IRT-KSC-TH
status:         ALLOCATED PORTABLE
changed:        hm-changed@apnic.net 20030924
changed:        hm-changed@apnic.net 20101202
source:         APNIC

person:         Technical Operation Center
address:        KSC Commercial Internet Co.,Ltd.
address:        Operation Department
address:        2/4 Samaggi Insurance Tower 10th Fl., Viphavadee-Rangsit Rd.,
address:        Thungsonghong, Laksi
address:        Bangkok 10210
country:        TH
phone:          +66-2-9797777 ext. 8428
e-mail:         netadmin@ns.ksc.co.th
nic-hdl:        TOC1-AP
mnt-by:         KSC-ADMIN
changed:        admin@ns.ksc.co.th 20011012
changed:        hm-changed@apnic.net 20030718
source:         APNIC

does Cisco know about this issue?how come, user “root” can access my router even though there is no “root” user on local router database even on tacacs+? I cannot explain that it makes senses. Or maybe my experience and knowledge are still weak. Anybody can explain what happen?

after that I did “show user”. Now he was gone!

Myrouter001#sh user
Line             User       Host(s)              Idle       Location
*644 vty 0     myuser    idle                 00:00:00 x.x.x.x

Unfortunately, maybe he logged out when I saw him and logged in before I did clear line vty 646.

Then, I did ACL to protect my router and all password has been encrypted with standard encryption from Cisco. You know well that Cisco Password is using MD5 encryption and it is easy to decode. But we don’t have any choice. What I did is making a strong password. Also enable secret 5 password has been applied.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s