Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1223
Views
0
Helpful
3
Replies

Possible compromise on ISR router

j-corzatt
Level 1
Level 1

‎01-29-2021 04:03 PM

We recently notice on our ISR router that an access list was added to our VTY terminal connection lines. The ip addresses were, 94.102.56.181 and 185.158.249.22. We didn't add them that we can remember. In the config we have 2 usernames being "cisco" and C1sc0!" We checked the log files and we have seen that there are logins for both usernames as well as other ip addresses than the ones I mentioned above. We were wondering if those usernames and addresses are used by the Smartnet upgrade feature that we installed a few months ago. We worked with Cisco Technical support and they said they didn't see any indication of compromise or changes.
Can you verify if your team or the Smartnet service uses those usernames? Thank you in advance. Jon

Labels:
0 Helpful
3 Replies 3

Leo Laohoo
Hall of Fame
Hall of Fame

‎01-29-2021 04:26 PM

Look at the first two lines in the "sh run" and it will tell you the last time the config was changed and by who. 

Cisco backend systems do not use those credentials.  

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎01-29-2021 04:32 PM

94.102.56.181 and 185.158.249.22.  - i do not believe any of these IP related to cisco as per i know...

 

suggest to remove that new username and remove that IP addresses from ACL,try to harden the router security with more ACL in Place with only have LAN IP address have access,

 

Add new username and remove any username cisco kind of - easy to scan with that usernames.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Oliver Kaiser
Level 7
Level 7

‎02-06-2021 02:50 AM

185.158.249.22 is associated with a variety of malware campaigns and is on the Cisco Umbrella block list for distributing Remote-Access Trojans. Given that information I would assume you have been breached and should take measures to disable access to the router and investigate if the router has been used to gain further access to internal devices. 

 

Removing the remote access and users from the configuration should be your first step, but a reimage and a hardened configuration + investigation should definetily be done.

 

p.s. Cisco offers a reputation lookup service you can utilize to find information on an ip address: https://talosintelligence.com/reputation_center/lookup (might not include all their IP, but atleast a good way to find more information).

0 Helpful
Customers Also Viewed These Support Documents