Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
2
Replies

Possible security vulnerability with buying used gear from eBay

RockstarWiFi
Level 1
Level 1

‎01-08-2016 04:29 PM - edited ‎03-10-2019 11:22 PM

It's no secret that there are literally thousands of machines running "new ip" scripts, and sweep scripts just looking for new devices to attack on the web. Once a new device (new IP) comes online these scripts typically run several sweep/tests like port scans to identify what the device is, and if it has known vulnerabilities or not. After which you will typically see a flurry of authentication requests or dictionary attacks to test shun capabilities beginning many times with the most basic of PW's but the logging has always clearly showed they "failed". All this taught me long ago that if you need remote access to an edge device to always use long/complex usernames and passwords and minimize the number of accounts on the device if possible, ensure logging is on, and you have rules to shun in place at a minimum. I recently helped a friend build some lab racks who had purchased 3 Cisco ISR's from eBay. One was setup as the edge router using the code below, this was a 2801 with 12.X code and had setup and tested SSH and all seemed normal.

login block-for 100 attempts 2 within 100
login delay 10
login quiet-mode access-class BANNEDSSH
login on-failure log
login on-success log

ip access-list extended BANNEDSSH
 deny   tcp any any eq telnet
 deny   tcp any any eq www
 deny   tcp any any eq 22
 permit ip any any

Within 20min of going online with one of his IP Addresses which hadn't been in-use for sometime, the flurry of attacks started however this time it's showing SUCCESSFUL as per the logs with usernames which are nowhere close to the 1 username that exists in this device.

Again this was not a super secure Enterprise to begin with, or being installed to really protect anything or we wouldn't be allowing SSH directly from the internet:)

This does raise the question of how prevalent malicious code is, if this could be a sign of shell code (i always heard it was undetectable from the CLI) and if possibly companies are buying and reselling used Cisco gear to install malicious code in hopes in lands somewhere useful for the attackers? Even if it's not shell code would be nice to know why these authentications are successful.

Has anyone else seen this with their devices?

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-08-2016 07:54 PM

We regularly see remote login attempts.

Did you know you can use public certificates with SSH rather than usernames/password?  Much more secure.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-auth-digi-certificate.html

https://supportforums.cisco.com/document/110946/ssh-using-public-key-authentication-ios-and-big-outputs

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-09-2016 10:16 AM

I'd suspect an error in setting up the device securely rather than some nefarious use of an advanced attack vector. To paraphrase an adage: "Never suspect a conspiracy when simple human error is an adequate explanation."

If an organized hostile group wants to target networks, they will use supply chain insertion and/or exploits against well known but often-not-patched vulnerabilities rather than seeding random eBay devices with hidden code. High value targets don't typically outfit their enterprises with used eBay gear.

0 Helpful
Customers Also Viewed These Support Documents