Hi!
im running Cisco IS software on 2801 router (C2801-ADVIPSERVICESK9-M),
Version 12.4(3e), RELEASE SFTWARE (fc2). I have few problems and i have
seen strange behavior: after few hours there was no responding from router,
no nat etc. After restart everything was ok for 10-12 hours.
I have NLY one user name to permit logon via ssh to router: marcin and
not dictionary password (14 symbols)
I logon 2 hours ago and i use command "who". I was very surprised, because
i saw something in 1 minute 2 different usernames and N USERNAME on vty
194.
i looks like that:
router#who
Line User Host(s) Idle Location
vty 194 idle 00:00:01 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00 210-az4-2.acn.waw.pl
Interface User Mode Idle Peer Address
router#who
Line User Host(s) Idle Location
vty 194 aivankovic idle 00:00:04 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00 210-az4-2.acn.waw.pl
Interface User Mode Idle Peer Address
router#who
Line User Host(s) Idle Location
vty 194 idle 00:00:01 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00 210-az4-2.acn.waw.pl
Interface User Mode Idle Peer Address
router#who
Line User Host(s) Idle Location
vty 194 aivankovic idle 00:00:04 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00 210-az4-2.acn.waw.pl
router#who
Line User Host(s) Idle Location
vty 194 idle 00:00:01
nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00 210-az4-2.acn.waw.pl
router#sh users
Line User Host(s) Idle Location
vty 194 akrizan idle 00:00:40 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00 210-az4-2.acn.waw.pl
What is going on? have you heard about similar incident?
Best regards
Marcin

Hi Marcin,

I would put an access-class on your vty lines to allow ssh only from trusted
hosts. Either that or put an access-list on your outside interface.

, and look up the abuse contact for that domain and report them. It's
probably someone trying a brute force on your ssh server.

HTH

Cheers,
Neil

Thursday 01 February 2007 19:46, Marcin wrote:
Hi!

im running Cisco IS software on 2801 router (C2801-ADVIPSERVICESK9-M),
Version 12.4(3e), RELEASE SFTWARE (fc2). I have few problems and i have
seen strange behavior: after few hours there was no responding from router,
no nat etc. After restart everything was ok for 10-12 hours.

I have NLY one user name to permit logon via ssh to router: marcin and
not dictionary password (14 symbols)

I logon 2 hours ago and i use command "who". I was very surprised, because
i saw something in 1 minute 2 different usernames and N USERNAME on vty
194.

i looks like that:

router#who
Line User Host(s) Idle Location
vty 194 idle 00:00:01 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00
210-az4-2.acn.waw.pl

Interface User Mode Idle Peer Address

router#who
Line User Host(s) Idle Location
vty 194 aivankovic idle 00:00:04 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00
210-az4-2.acn.waw.pl

Interface User Mode Idle Peer Address

router#who
Line User Host(s) Idle Location
vty 194 idle 00:00:01 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00
210-az4-2.acn.waw.pl

Interface User Mode Idle Peer Address

router#who
Line User Host(s) Idle Location
vty 194 aivankovic idle 00:00:04 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00
210-az4-2.acn.waw.pl

router#who
Line User Host(s) Idle Location
vty 194 idle 00:00:01
nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00
210-az4-2.acn.waw.pl
--
router#sh users
Line User Host(s) Idle Location
vty 194 akrizan idle 00:00:40 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00
210-az4-2.acn.waw.pl

What is going on? have you heard about similar incident?

Best regards

Marcin

PGP SIGNATURE
Version: GnuPG v1.4.5 (GNU/Linux)

=GzG2
PGP SIGNATURE

Could someone from sourceforge.net comment? What else is compromised on
the server?

Can just anyone post anything to any directory or are there specific
directories that can be hacked?

Is it just yapig.sourceforge.net?

If you look here:

http://yapig.sourceforge.net/

You'll see the following list of vulns recently fixed in this image
gallery project:

* Vulnerability: Cross site scripting on add comment form (#1230491)
* Vulnerability: Save plain text login information in cookies (#1230491)
* Vulnerability: Arbitrary directory removal on upload.php (#1230491)
* Vulnerability: Extension checks on upload.php (#1230491)
* Vulnerability: Arbitrary file Inclusion global.php and last_gallery.php (#1230491)
* Vulnerability: Cross-site Scripting (#1230491)
* Vulnerability: Information disclosure in phid argument of view.php and slideshow.php (#1230491)

Yeah, so their demo site is compromised through one of these, or another
yet to be published. Have you tried to let the project owner know?

Either case, I should suggest everyone be careful about what you
download from sourceforge till they do a full code audit and post the
results here.

I would hope that sourceforge has decent cross-project segmentation by
now

tim

PS- next time you start a new thread on lists, could you avoid
responding to messages on completely different threads? I realize that
some mail clients still don't support the interpretation of threading
headers, but many of ours do.

PGP SIGNED MESSAGE
Hash: SHA1

Hi Marcin,

Eloy Paris from Cisco's Product Security Incident Response Team (PSIRT)
here. See below (inline) for a couple of comments

Thu, Feb 01, 2007 at 08:46:33PM +0100, Marcin wrote:

im running Cisco IS software on 2801 router (C2801-ADVIPSERVICESK9-M),
Version 12.4(3e), RELEASE SFTWARE (fc2). I have few problems and i have
seen strange behavior: after few hours there was no responding from router,
no nat etc. After restart everything was ok for 10-12 hours.

I have NLY one user name to permit logon via ssh to router: marcin and
not dictionary password (14 symbols)

I logon 2 hours ago and i use command "who". I was very surprised, because
i saw something in 1 minute 2 different usernames and N USERNAME on vty
194.

i looks like that:

router#who
Line User Host(s) Idle Location
vty 194 idle 00:00:01 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00 210-az4-2.acn.waw.pl

Interface User Mode Idle Peer Address

router#who
Line User Host(s) Idle Location
vty 194 aivankovic idle 00:00:04 nt.math.nknu.edu.tw
* vty 195 marcin idle 00:00:00 210-az4-2.acn.waw.pl

Interface User Mode Idle Peer Address

[]

What is going on? have you heard about similar incident?

As Neil Anderson mentioned in his reply to your message earlier,
you are probably seeing a brute force SSH scan from the host
nt.math.nknu.edu.tw, which is probably compromised.

If you have set up your users with strong passwords you should be
fine, although as Neil also mentioned, it would be a good idea to add
an access-class to the VTYs so only connections from authorized IP
addresses and/or networks are accepted.

The behavior you are seeing is normal - during the SSH authentication
phase you will see the user trying to log in in the output from the
"show users" command, or you may only see a machine name with no
username associated with it. This user is not really logged in (it is
just in the authentication phase) and it will go away as soon as the TCP
session is torn down.

Hope this helps.

Cheers,
- --

Eloy Paris
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
Ph: +1 919 392-9118
Cell: +1 919 349-2990
Pager: (888) 347-7178

PGP SIGNATURE
Version: GnuPG v1.4.6 (GNU/Linux)

x8NQCIl2xkY+s=
=cPnl
PGP SIGNATURE