cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco 3850 unknow VTY telnet- is it backdoor?

secureboy
Beginner
Beginner

Guys,

 I have noticed that there are some telnet sessions to our cisco 3850 switch:

 switch#sh users     
    Line       User       Host(s)              Idle       Location
   2 vty 0                idle                 00:01:06 192.168.3.2
   3 vty 1                idle                 00:01:06 192.168.3.2
*  4 vty 2                idle                 00:00:00 10.xx.5.40

switch#sh tcp brief
TCB       Local Address           Foreign Address        (state)
34A272D4  10.yy.2.201.23          10.xx.5.40.50755      ESTAB
3A0F8494  192.168.3.1.23          192.168.3.2.42519      ESTAB
3A0874F0  192.168.3.1.23          192.168.3.2.42517      TIMEWAIT
3A4A6030  192.168.3.1.23          192.168.3.2.42518      TIMEWAIT
3A4CE854  192.168.3.1.23          192.168.3.2.42520      ESTAB

 10.xx.5.40 - my host IP address. Even after clearing these vty (clear line vty <number>), they come back. The switch has only one ip interface: 10.yy.2.201.

switch#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  10.yy.2.201    YES NVRAM  up                    up      
GigabitEthernet0/0     unassigned      YES unset  administratively down down    
GigabitEthernet1/0/1   unassigned      YES unset  down                  down   
...

 Is it Backoor or internal virtual Sessions? More info:

 

sh version
Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
     1 56    WS-C3850-48P       03.02.03.SE       cat3k_caa-universalk9 INSTALL
     2 56    WS-C3850-48P       03.02.03.SE       cat3k_caa-universalk9 INSTALL
     3 56    WS-C3850-48P       03.02.03.SE       cat3k_caa-universalk9 INSTALL




switch#sh ip sockets
Proto        Remote      Port      Local       Port  In Out  Stat TTY OutputIF
 17     0.0.0.0             0 10.yy.2.201    16666   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201    16667   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201    12124   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201    12125   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201    12134   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201    12135   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201     5246   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201     5247   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201     5247   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201     5247   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201     5247   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201     5247   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201     5247   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201     5247   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201     5247   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201    12223   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201     6352   0   0   0   0
 17     0.0.0.0             0 10.yy.2.201       67   0   0 1002211   0
 17     0.0.0.0             0 10.yy.2.201     5247   0   0 1000011   0
 17     0.0.0.0             0 10.yy.2.201     2228   0   0 1000211   0
 17(v6)   --listen--          --any--           161   0   0 1020001   0
 17(v6)   --listen--          --any--           162   0   0 1020011   0
 17(v6)   --listen--          --any--          1025   0   0 1020001   0
 17       --listen--          10.yy.2.201      161   0   0 1001001   0
 17       --listen--          10.yy.2.201      162   0   0 1001011   0
 17       --listen--          10.yy.2.201     1025   0   0 1001011   0

 

 

1 REPLY 1

secureboy
Beginner
Beginner

It is old Cisco bug:

 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20131224-CVE-2013-6979

Applying ACL to vty and enabling the only ssh as transport input didnt help. Need to update the firmware.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: