01-29-2021 04:03 PM
We recently notice on our ISR router that an access list was added to our VTY terminal connection lines. The ip addresses were, 94.102.56.181 and 185.158.249.22. We didn't add them that we can remember. In the config we have 2 usernames being "cisco" and C1sc0!" We checked the log files and we have seen that there are logins for both usernames as well as other ip addresses than the ones I mentioned above. We were wondering if those usernames and addresses are used by the Smartnet upgrade feature that we installed a few months ago. We worked with Cisco Technical support and they said they didn't see any indication of compromise or changes.
Can you verify if your team or the Smartnet service uses those usernames? Thank you in advance. Jon
01-29-2021 04:26 PM
Look at the first two lines in the "sh run" and it will tell you the last time the config was changed and by who.
Cisco backend systems do not use those credentials.
01-29-2021 04:32 PM
94.102.56.181 and 185.158.249.22. - i do not believe any of these IP related to cisco as per i know...
suggest to remove that new username and remove that IP addresses from ACL,try to harden the router security with more ACL in Place with only have LAN IP address have access,
Add new username and remove any username cisco kind of - easy to scan with that usernames.
02-06-2021 02:50 AM
185.158.249.22 is associated with a variety of malware campaigns and is on the Cisco Umbrella block list for distributing Remote-Access Trojans. Given that information I would assume you have been breached and should take measures to disable access to the router and investigate if the router has been used to gain further access to internal devices.
Removing the remote access and users from the configuration should be your first step, but a reimage and a hardened configuration + investigation should definetily be done.
p.s. Cisco offers a reputation lookup service you can utilize to find information on an ip address: https://talosintelligence.com/reputation_center/lookup (might not include all their IP, but atleast a good way to find more information).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide