02-02-2016 10:22 PM - edited 03-08-2019 04:27 AM
Dears,
Someone hacked our cisco router. They create new username and password. I delete this username but when i do show running again I see this username and password. I upgrade the ios, reload the router but the problem is not solved.
We do not want to delete the configuration file.
I think that they wrote a script at TCL. How I fix this problem.
02-03-2016 12:07 AM
Kindly post the router configuration (minus the IP address & passwords).
02-03-2016 02:38 AM
I attached the router configuration. This is a branch office router.
Main configuration is VPN.
Current configuration : 7843 bytes
!
!
D
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot system tftp c2801-advipservicesk9-mz.151-4.M8.bin 255.255.255.255
boot-end-marker
!
!
!
no aaa new-model
!
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address xxx
ip dhcp excluded-address xx
ip dhcp excluded-address xx
ip dhcp excluded-address xx
!
ip dhcp pool LAN-POOL
network xxx 255.255.255.0
default-router xxx
dns-server xxx
!
!
!
ip cef
no ip domain lookup
ip domain name xxxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
password encryption aes
!
!
voice service pots
!
voice service voip
!
!
!
!
!
voice-card 0
!
!
!
license udi pid CISCO2801 sn xxx
username nhrp privilege 15 secret 5 $1$THBb$x1vTVwl0Kdf5BDA/hCW57oS1
Someone created this username
!
redundancy
!
!
ip ssh version 2
!
crypto keyring DMVPNKEYRING
pre-shared-key address xxxxxx key 6
!
crypto isakmp policy 30
encr aes 256
hash sha256
authentication pre-share
group 20
lifetime 3600
!
crypto isakmp policy 103
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 104
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 105
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 107
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 108
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp keepalive 10 periodic
crypto isakmp profile DMVPN_ISAKMP
keyrinxxxx
match identity address xxxx!
!
crypto ipsec transform-set iamas_vpn esp-aes 256 esp-sha-hmac
crypto ipsec transform-set SEC_TRANS1 esp-aes 256 esp-sha256-hmac
! Transform runs with reduced performance
!
crypto ipsec profile SEC_PROFILE1
set transform-set SEC_TRANS1
set pfs group20
set isakmp-profile DMVPN_ISAKMP
!
!
crypto ipsec client ezvpn ez
connect auto
group axxxx key 6 xxxx
mode network-extension
peer xxxxxx
username xxxx password 6 yyyy
!
!
!
!
!
!
!
interface Tunnel30
bandwidth 10000
ip address xxxx
no ip redirects
ip mtu 1400
ip hello-interval eigrp 30 30
ip hold-time eigrp 30 120
ip nhrp authentication xxxxx
ip nhrp map multicast dynamic
ip nhrp map xxxxx
ip nhrp map multicast xxxx
ip nhrp map xxxx
ip nhrp map multicast xxxx
ip nhrp network-id 9
ip nhrp holdtime 600
ip nhrp nhs xxxx
ip nhrp nhs xxxx
ip nhrp registration no-unique
ip tcp adjust-mss 1360
ntp broadcast client
tunnel source xx
tunnel mode gre multipoint
tunnel key xxxxx
tunnel protection ipsec profile SEC_PROFILE1
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address xxxx 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1400
duplex auto
speed auto
crypto ipsec client ezvpn ez inside
!
interface Dialer1
ip address negotiated
ip access-group 110 in
ip mtu 1492
ip nat outside
ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname xxxx
ppp chap password 7 xxxx
ppp pap sent-username xxxx password 7 xxxx
!
!
router eigrp 10
network xxxx 0 0.0.0.255
network xxxxx 0.0.0.127
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nat interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 x
!
ip access-list extended xxxxx
permit ip host x.x.x 1x..x.x.x .0 0.0.0.255
permit ip host xxxxx x.x.6.0 0.0.0.255
permit ip host xxxx host y
permit ip host xxxx host y
permit ip host x.xxx host y
permit ip host xxxxx host y
permit ip host xxxx host y
permit ip host xxxxx host y
!
access-list 110 permit ip host xxxx any
access-list 110 permit ip host xxxxx any
access-list 110 deny tcp any any eq 1720
access-list 110 deny tcp any any eq 1719
access-list 110 deny tcp any any eq 1718
access-list 110 deny tcp any any eq 2099
access-list 110 deny udp any any eq 1720
access-list 110 deny udp any any eq 1719
access-list 110 deny udp any any eq 1718
access-list 110 deny udp any any eq 2099
access-list 110 deny tcp any any eq telnet
access-list 110 deny tcp any any eq www
access-list 110 deny tcp any any eq 22
access-list 110 permit ip any any
access-list 135 deny ip xxxx 0.0.0.255 host 10.200.200.22
access-list 135 deny ip host xxx 172.16.0.0 0.0.255.255
access-list 135 deny ip host xxx 10.10.0.0 0.0.255.255
access-list 135 deny ip host xxx host 10.200.200.20
access-list 135 deny ip host x host 10.200.200.21
access-list 135 deny ip host x any
access-list 135 deny ip host x any
access-list 135 deny ip host x yyy
access-list 135 deny ip host x xxx
access-list 135 deny ip host x xx
access-list 135 deny ip host x xxxx
access-list 135 deny ip host x xxx
access-list 135 deny ip host x xxxxx
access-list 135 deny ip host x xxx
access-list 135 deny ip host x xxxx
access-list 135 deny ip host x any
access-list 135 permit ip x 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
route-map nat permit 10
match ip address 135
!
!
!
control-plane
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
voice-port 0/0/2
!
voice-port 0/0/3
!
ccm-manager redundant-host xxxxx
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server xxxx
ccm-manager config
!
mgcp
mgcp call-agent x.x.x.x 2427 service-type mgcp
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp bind control source-interface x
mgcp bind media source-interface x
!
mgcp profile default
!
!
dial-peer voice 14 pots
service mgcpapp
port 0/0/0
!
dial-peer voice 34 pots
service mgcpapp
port 0/0/1
!
dial-peer voice 54 pots
service mgcpapp
port 0/0/2
!
dial-peer voice 7 pots
service mgcpapp
port 0/0/3
!
dial-peer voice 9994001 pots
service mgcpapp
port 0/0/1
!
dial-peer voice 9994003 pots
service mgcpapp
port 0/0/3
!
dial-peer voice 9949000 pots
service mgcpapp
port 0/0/0
!
dial-peer voice 999002 pots
service mgcpapp
port 0/0/2
!
!
!
!
alias exec c conf t
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
end
02-03-2016 03:07 AM
Let's start with the basic. If someone has hacked into your router, did you change the password to something more difficult to crack?
02-03-2016 03:12 AM
Yes, we changed password.
But I can not delete the nhrp username.
08-20-2019 12:00 PM
my be your password isn't strong enough
08-20-2019 12:02 PM
Have you got the answer
09-26-2019 02:41 AM
did you got any resolve, or how they created an un-deleatable user?
09-26-2019 04:58 AM
Hi,
Change your password and disable the SSH, Telnet access from the outside. You can use the Access-list for the same.
09-30-2019 08:53 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: