Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
5
Helpful
11
Replies

Command execution without login? Did my ISR 1111-8P got hacked?

MarkusD
Level 1
Level 1

‎09-04-2024 04:49 AM - edited ‎09-04-2024 04:51 AM

Hi,

today I found a very strange behaviour in my log files on my Cisco Router ISR 1111-8P.

I executed the command "sh history all" and the output was surprising!

CMD: 'show platform' 15:42:00 CEST Tue Sep 3 2024
CMD: 'show version' 15:42:00 CEST Tue Sep 3 2024
CMD: 'show inventory oid' 15:42:01 CEST Tue Sep 3 2024
CMD: 'show diag all eeprom detail' 15:42:02 CEST Tue Sep 3 2024
CMD: 'show interfaces' 15:42:02 CEST Tue Sep 3 2024
CMD: 'show file systems' 15:42:03 CEST Tue Sep 3 2024
CMD: 'show bootflash: all' 15:42:04 CEST Tue Sep 3 2024
CMD: 'show platform software filesystem bootflash: all' 15:42:04 CEST Tue Sep 3 2024
CMD: 'show data-corruption' 15:42:05 CEST Tue Sep 3 2024
CMD: 'show memory statistics' 15:42:05 CEST Tue Sep 3 2024
CMD: 'show process memory' 15:42:06 CEST Tue Sep 3 2024
CMD: 'show process cpu' 15:42:07 CEST Tue Sep 3 2024
CMD: 'show process cpu history' 15:42:07 CEST Tue Sep 3 2024
CMD: 'show license udi' 15:42:08 CEST Tue Sep 3 2024
CMD: 'show license detail' 15:42:09 CEST Tue Sep 3 2024
CMD: 'show buffers' 15:42:09 CEST Tue Sep 3 2024
Sep 3 13:49:54.299: %SMART_LIC-4-RESERVE_IN_PROGRESS: None License Reservation process must be completed with the 'license smart reservation install' command. Reservation started on Jul 20 09:53:43 2021 CEST
CMD: 'show platform' 15:57:00 CEST Tue Sep 3 2024
CMD: 'show version' 15:57:00 CEST Tue Sep 3 2024
CMD: 'show running-config all' 15:57:01 CEST Tue Sep 3 2024
CMD: 'show startup-config' 15:57:06 CEST Tue Sep 3 2024
CMD: 'show inventory' 15:57:06 CEST Tue Sep 3 2024

In syslog (I am logging to a different server) there is no login via SSH or Webserver mentioned and I have not logged in to the router yesterday.

Is it possible to execute commands on a Cisco router without SSH, Telnet or HTTPS connection?

The SSH port and HTTPS server on non-standard port is available via IPv6 from the internet.

Software running on this device: Cisco IOS XE Software, Version 17.03.05

Configuration (removed all routing stuff):

Current configuration : 14608 bytes
!
! Last configuration change at 12:22:04 CEST Fri Aug 16 2024 by maxxx
! NVRAM config last updated at 07:26:22 CEST Wed Aug 7 2024 by maxxx
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
aaa new-model
!
aaa authorization exec default local if-authenticated 
!
aaa session-id common
!
ip nbar http-services
!
login on-success log
!
no device-tracking logging theft
!
diagnostic bootup level minimal
!
username maxxx privilege 15 secret 9 $9$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username moxxx privilege 5 secret 9 $9$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
 mode none
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 10443
ip forward-protocol nd
ip ssh time-out 60
ip ssh authentication-retries 2
ip scp server enable
!
logging trap debugging
logging host ipv6 2001:xx:xx:FFFF::2
ip access-list standard 23
 10 permit 192.168.0.0 0.0.255.255
!
snmp-server community public RO 1
snmp-server community JOHNDOE RO 1
snmp-server location Serverraum
!
ipv6 access-list HE_INTERNAL_NETWORK
 sequence 10 permit ipv6 2001:XXXX:XXXX::/48 any
!
control-plane
!
privilege exec level 15 reload
privilege exec level 2 show
banner login ^C
******************************************
WARNING!! Unauthorized Access Prohibited!!
******************************************
^C
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 60 0
 logging synchronous
 transport preferred none
 transport input ssh
line vty 5 868
 access-class 23 in
 exec-timeout 60 0
 logging synchronous
 transport preferred none
 transport input ssh
line vty 869 962
 access-class 23 in
 exec-timeout 60 0
 ipv6 access-class HE_INTERNAL_NETWORK in
 logging synchronous
 transport preferred none
 transport input telnet ssh
!
call-home
 contact-email-addr ADMIN@googlemail.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
end

 Any help is appreciated.

Labels:
0 Helpful
11 Replies 11

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-04-2024 04:59 AM

Hello @MarkusD ,

all your vty have

access-class 23 in

the access-list 23 is to be checked

under a range of vty you have:

ipv6 access-class HE_INTERNAL_NETWORK in

check this also

about the commands listed have you issued a

show tech-support ?

it is actually resolved in an ordered sequence of commands

Hope to hellp

Giuseppe

 

0 Helpful

MarkusD
Level 1
Level 1
In response to Giuseppe Larosa

‎09-04-2024 09:38 AM - edited ‎09-04-2024 09:38 AM

access-list 23 and HE_INTERNAL_NETWORK contain only the internal local IP networks.

0 Helpful

Flavio Miranda
VIP
VIP

‎09-04-2024 07:07 AM

@MarkusD 

 Seems to me that this device is managed by some tool and this tool is running commands on it. Do you have DNAC or Cisco Prime? or any similar tool?  This command could be executed by API on port 830 or even SNMP.

0 Helpful

MarkusD
Level 1
Level 1
In response to Flavio Miranda

‎09-04-2024 09:41 AM

No DNAC or Cisco Prime here.

But I have Observum running which accesses the router via SNMP.
I will disable this as a test. And I will remove the default SNMP community "public". I just saw that it is still in the config.

0 Helpful

Flavio Miranda
VIP
VIP
In response to MarkusD

‎09-04-2024 09:52 AM

Probably this is it.  The commands is about something checking the device health, which is meant for management tools. If it was a malicious access we probably would see something else and if it was a trully hacker, we wouldn´t see anything.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎09-04-2024 03:10 PM 

conf t
 NO service call-home
end
wr

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Leo Laohoo

‎09-05-2024 02:31 PM

Hello @Leo Laohoo ,

I had thought of show tech-support but I think you are right the call home will send collected info via HTTP transport protocol but before doing this it has to collect the technical data.

for OP @MarkusD  this is probably the right answer and your router has not been hacked !

Hope to help

Giuseppe

 

0 Helpful

MarkusD
Level 1
Level 1

‎09-11-2024 02:02 AM - edited ‎09-11-2024 02:05 AM

Sorry for the late reply, but I wanted to wait and see if the problem continues to persist after my small configuration changes.

First I removed the SNMP community name “public”, because I found CVE-2017-6742 and thought that could be related to the attack.

no snmp-server community public RO 1

But this did not lead to any improvement:

Then I applied an ACL to the web interface 6 days ago:

ip http access-class ipv4 23
ip http access-class ipv6 DTAG_INTERNAL_NETWORK

Since then there has been silence.
No new command executions.

I really think the web interface allows to execute unprivileged commands without login.

By the way, I haven't changed the call-home setting yet.

MHM Cisco World
VIP
VIP
In response to MarkusD

‎09-12-2024 04:07 AM

show ip http client <<- use this to check if there  any login via http or not 

MHM

0 Helpful

MarkusD
Level 1
Level 1

‎09-20-2024 02:11 AM

Just a short update:
The command executions returned after a few days.
So I think it has nothing to do with the web or SNMP server.

I did some further investigation and I think it is the call-home service mentioned by @Leo Laohoo .

When I run the "call-home send alert-group inventory" command, the other commands run immediately afterwards.

CMD: 'call-home send alert-group inventory' 11:01:29 CEST Fri Sep 20 2024
CMD: 'show platform' 11:01:29 CEST Fri Sep 20 2024
CMD: 'show version' 11:01:29 CEST Fri Sep 20 2024
CMD: 'show inventory oid' 11:01:30 CEST Fri Sep 20 2024
CMD: 'show diag all eeprom detail' 11:01:31 CEST Fri Sep 20 2024
CMD: 'show interfaces' 11:01:31 CEST Fri Sep 20 2024
CMD: 'show file systems' 11:01:32 CEST Fri Sep 20 2024
CMD: 'show bootflash: all' 11:01:33 CEST Fri Sep 20 2024
CMD: 'show platform software filesystem bootflash: all' 11:01:33 CEST Fri Sep 20 2024
CMD: 'show data-corruption' 11:01:34 CEST Fri Sep 20 2024
CMD: 'show memory statistics' 11:01:34 CEST Fri Sep 20 2024
CMD: 'show process memory' 11:01:35 CEST Fri Sep 20 2024
CMD: 'show process cpu' 11:01:36 CEST Fri Sep 20 2024
CMD: 'show process cpu history' 11:01:36 CEST Fri Sep 20 2024
CMD: 'show license udi' 11:01:37 CEST Fri Sep 20 2024
CMD: 'show license detail' 11:01:37 CEST Fri Sep 20 2024
CMD: 'show buffers' 11:01:38 CEST Fri Sep 20 2024
CMD: 'sh history all' 11:01:50 CEST Fri Sep 20 2024

 

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to MarkusD

‎09-20-2024 02:18 AM

Hello @MarkusD ,

thanks for your feedback

it is the call home feature as noted first by @Leo Laohoo and your router is not under attack.

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents