Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2729
Views
0
Helpful
9
Replies

Hacked cisco router

teymur azimov
Level 1
Level 1

‎02-02-2016 10:22 PM - edited ‎03-08-2019 04:27 AM

Dears,

Someone hacked our cisco router. They create new username and password. I delete this username but when i do show running again I see this username and password. I upgrade the ios, reload the router but the problem is not solved. 

We do not want to delete the configuration file.

I think that they wrote  a script at TCL. How I fix this problem. 

Labels:
0 Helpful
9 Replies 9

Leo Laohoo
Hall of Fame
Hall of Fame

‎02-03-2016 12:07 AM

Kindly post the router configuration (minus the IP address & passwords).

0 Helpful

teymur azimov
Level 1
Level 1
In response to Leo Laohoo

‎02-03-2016 02:38 AM

I attached the router configuration. This is a branch office router. 

Main configuration is VPN.

Current configuration : 7843 bytes
!
!

D
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot system tftp c2801-advipservicesk9-mz.151-4.M8.bin 255.255.255.255
boot-end-marker
!
!
!
no aaa new-model
!
crypto pki token default removal timeout 0
!        
!        
dot11 syslog
ip source-route
!        
!        
no ip dhcp use vrf connected
ip dhcp excluded-address xxx

ip dhcp excluded-address xx
ip dhcp excluded-address xx
ip dhcp excluded-address xx
!        
ip dhcp pool LAN-POOL
 network xxx 255.255.255.0
 default-router xxx
 dns-server xxx
!        
!        
!        
ip cef   
no ip domain lookup
ip domain name xxxx
no ipv6 cef
!        
multilink bundle-name authenticated
!        
!        
!        
!        
password encryption aes
!        
!        
voice service pots
!        
voice service voip
!        
!        
!        
!        
!        
voice-card 0
!        
!        
!        
license udi pid CISCO2801 sn xxx

username nhrp privilege 15 secret 5 $1$THBb$x1vTVwl0Kdf5BDA/hCW57oS1

 

Someone created this username

 

!        
redundancy
!        
!        
ip ssh version 2
!        
crypto keyring DMVPNKEYRING 
  pre-shared-key address xxxxxx key 6

!        
crypto isakmp policy 30
 encr aes 256
 hash sha256
 authentication pre-share
 group 20
 lifetime 3600
!        
crypto isakmp policy 103
 encr aes 256
 authentication pre-share
 group 2 
!        
crypto isakmp policy 104
 encr aes 256
 authentication pre-share
 group 5 
!        
crypto isakmp policy 105
 encr 3des
 authentication pre-share
 group 5 
!        
crypto isakmp policy 107
 encr 3des
 authentication pre-share
 group 2 
!        
crypto isakmp policy 108
 encr 3des
 hash md5
 authentication pre-share
 group 5 
crypto isakmp keepalive 10 periodic
crypto isakmp profile DMVPN_ISAKMP
   keyrinxxxx

   match identity address xxxx!        
!        
crypto ipsec transform-set iamas_vpn esp-aes 256 esp-sha-hmac
crypto ipsec transform-set SEC_TRANS1 esp-aes 256 esp-sha256-hmac
! Transform runs with reduced performance
!        
crypto ipsec profile SEC_PROFILE1
 set transform-set SEC_TRANS1
 set pfs group20
 set isakmp-profile DMVPN_ISAKMP
!        
!        
crypto ipsec client ezvpn ez
 connect auto
 group axxxx key 6 xxxx
 mode network-extension
 peer xxxxxx
 username xxxx password 6 yyyy
!        
!        
!        
!        
!        
!        
!        
interface Tunnel30
 bandwidth 10000
 ip address xxxx
 no ip redirects
 ip mtu 1400
 ip hello-interval eigrp 30 30
 ip hold-time eigrp 30 120
 ip nhrp authentication xxxxx
 ip nhrp map multicast dynamic
 ip nhrp map xxxxx
 ip nhrp map multicast xxxx
 ip nhrp map xxxx
 ip nhrp map multicast xxxx
 ip nhrp network-id 9
 ip nhrp holdtime 600
 ip nhrp nhs xxxx
 ip nhrp nhs xxxx
 ip nhrp registration no-unique
 ip tcp adjust-mss 1360
 ntp broadcast client
 tunnel source xx
 tunnel mode gre multipoint
 tunnel key xxxxx
 tunnel protection ipsec profile SEC_PROFILE1
!        
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!        
interface FastEthernet0/1
 ip address xxxx 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 ip tcp adjust-mss 1400
 duplex auto
 speed auto
 crypto ipsec client ezvpn ez inside
!         
interface Dialer1
 ip address negotiated
 ip access-group 110 in
 ip mtu 1492
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp chap hostname xxxx
 ppp chap password 7 xxxx
 ppp pap sent-username xxxx password 7 xxxx
!        
!        
router eigrp 10
 network xxxx  0 0.0.0.255
 network xxxxx 0.0.0.127
!        
ip forward-protocol nd
!        
!        
no ip http server
no ip http secure-server
ip nat inside source route-map nat interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 x
!        
ip access-list extended xxxxx
 permit ip host x.x.x  1x..x.x.x .0 0.0.0.255
 permit ip host xxxxx x.x.6.0 0.0.0.255
 permit ip host xxxx host y
 permit ip host xxxx host y
 permit ip host x.xxx host y
 permit ip host xxxxx host y
 permit ip host xxxx host y
 permit ip host xxxxx host y
!        
access-list 110 permit ip host xxxx any
access-list 110 permit ip host xxxxx any
access-list 110 deny   tcp any any eq 1720
access-list 110 deny   tcp any any eq 1719
access-list 110 deny   tcp any any eq 1718
access-list 110 deny   tcp any any eq 2099
access-list 110 deny   udp any any eq 1720
access-list 110 deny   udp any any eq 1719
access-list 110 deny   udp any any eq 1718
access-list 110 deny   udp any any eq 2099
access-list 110 deny   tcp any any eq telnet
access-list 110 deny   tcp any any eq www
access-list 110 deny   tcp any any eq 22
access-list 110 permit ip any any
access-list 135 deny   ip xxxx 0.0.0.255 host 10.200.200.22
access-list 135 deny   ip host xxx 172.16.0.0 0.0.255.255
access-list 135 deny   ip host xxx 10.10.0.0 0.0.255.255
access-list 135 deny   ip host xxx host 10.200.200.20
access-list 135 deny   ip host x host 10.200.200.21
access-list 135 deny   ip host x any
access-list 135 deny   ip host x any
access-list 135 deny   ip host x yyy
access-list 135 deny   ip host x xxx
access-list 135 deny   ip host x xx
access-list 135 deny   ip host x xxxx
access-list 135 deny   ip host x xxx
access-list 135 deny   ip host x xxxxx
access-list 135 deny   ip host x xxx
access-list 135 deny   ip host x xxxx
access-list 135 deny   ip host x any
access-list 135 permit ip x 0.0.0.255 any
dialer-list 1 protocol ip permit
!        
!        
!        
!        
route-map nat permit 10
 match ip address 135
!        
!        
!        
control-plane
!        
!        
voice-port 0/0/0
!        
voice-port 0/0/1
!        
voice-port 0/0/2
!        
voice-port 0/0/3
!        
ccm-manager redundant-host xxxxx
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server xxxx 
ccm-manager config
!        
mgcp     
mgcp call-agent x.x.x.x  2427 service-type mgcp
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp bind control source-interface x
mgcp bind media source-interface x
!        
mgcp profile default
!        
!        
dial-peer voice 14 pots
 service mgcpapp
 port 0/0/0
!        
dial-peer voice 34 pots
 service mgcpapp
 port 0/0/1
!        
dial-peer voice 54 pots
 service mgcpapp
 port 0/0/2
!        
dial-peer voice 7 pots
 service mgcpapp
 port 0/0/3
!        
dial-peer voice 9994001 pots
 service mgcpapp
 port 0/0/1
!        
dial-peer voice 9994003 pots
 service mgcpapp
 port 0/0/3
!        
dial-peer voice 9949000 pots
 service mgcpapp
 port 0/0/0
!        
dial-peer voice 999002 pots
 service mgcpapp
 port 0/0/2
!        
!        
!        
!        
alias exec c conf t
!        
line con 0
 logging synchronous
 login local
line aux 0
line vty 0 4
 login local
 transport input ssh
line vty 5 15
 login local
 transport input ssh
!        
scheduler allocate 20000 1000
ntp update-calendar
end   
 

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to teymur azimov

‎02-03-2016 03:07 AM

Let's start with the basic.  If someone has hacked into your router, did you change the password to something more difficult to crack?

0 Helpful

teymur azimov
Level 1
Level 1
In response to Leo Laohoo

‎02-03-2016 03:12 AM

Yes,  we changed password. 

But I can not delete the nhrp username. 

0 Helpful

brmcisco
Level 1
Level 1
In response to teymur azimov

‎08-20-2019 12:00 PM

my be your password isn't strong enough

0 Helpful

brmcisco
Level 1
Level 1
In response to brmcisco

‎08-20-2019 12:02 PM

Have you got the answer

0 Helpful

gentcali
Level 1
Level 1
In response to teymur azimov

‎09-26-2019 02:41 AM

did you got any resolve, or how they created an un-deleatable user?

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to teymur azimov

‎09-26-2019 04:58 AM

Hi,

Change your password and disable the SSH, Telnet access from the outside. You can use the Access-list for the same.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

brmcisco
Level 1
Level 1
In response to Deepak Kumar

‎09-30-2019 08:53 PM

Ok
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card