Forums > General Discussion > China hacked my router?
sacox31s
20 posts
31 Jan 2010 at 2:15 a.m. UTC

WTF?

I can't clear the line either?

RouterHostname#who
    Line       User        Host(s)            Idle       Location
  66 vty 0     root        idle               00:00:04 119.62.128.115
* 67 vty 1     myusername  idle               00:00:00 xxx.xxx.xxx.xxx

Interface    User               Mode         Idle     Peer Address

RouterHostname#clear line 66
[confirm]
 [OK]
RouterHostname#clear line vty 0
[confirm]
 [OK]

RouterHostname#who
    Line       User        Host(s)              Idle       Location
  66 vty 0     root        idle                 00:00:04 119.62.128.115
* 67 vty 1     myusername  idle                 00:00:00 xxx.xxx.xxx.xxx

Interface    User               Mode         Idle     Peer Address

RouterHostname#exit

Connection closed by foreign host.
myusername@MyLinuxBox:~$ whois 119.62.128.115
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      119.62.128.0 - 119.62.128.255
netname:      ChinaUnicom-YunNanBranch-3G-operation-plant
country:      cn
descr:        ChinaUnicom-YunNanBranch-3G-operation-plant
admin-c:      CH455-AP
tech-c:       CH455-AP
status:       ASSIGNED NON-PORTABLE
changed:      zengwei5@chinaunicom.cn 20090316
mnt-by:       MAINT-CNCGROUP-YN
source:       APNIC

route:        119.62.0.0/16
descr:        CNC Group CHINA169 Yunnan Province Network
country:      CN
origin:       AS4837
mnt-by:       MAINT-CNCGROUP-RR
changed:      abuse@cnc-noc.net 20080118
source:       APNIC

role:         CNCGroup Hostmaster
e-mail:       abuse@cnc-noc.net
address:      No.156,Fu-Xing-Men-Nei Street,
address:      Beijing,100031,P.R.China
nic-hdl:      CH455-AP
phone:        +86-10-82993155
fax-no:       +86-10-82993102
country:      CN
admin-c:      CH444-AP
tech-c:       CH444-AP
changed:      abuse@cnc-noc.net 20041119
mnt-by:       MAINT-CNCGROUP
source:       APNIC
sacox31s
20 posts
31 Jan 2010 at 2:51 a.m. UTC

OK, so my formatting is all messd up in the above message.

My router was acting odd certain things just weren't making sense. So I typed in the "who" command.

Someone was also logged in with the IP of 119.62.128.115!!

I ran a "whois" from my linux box, and it said the IP is from China.

Also I tried to clear the line several time with no luck.

In the end I created a very restrictive ACL on my line VTY, cleared the line, and finally that IP is no longer showing up when I issue the "who" command.

WTF
sacox31s
20 posts
31 Jan 2010 at 3:05 a.m. UTC

I figured out what was going on. Basically it was just a brute force attack with the username root.

The reason I say this is because my ACL preventing the attacker from connecting is incrementing up at a very fast pace for that specific network.

Also the "who" command will state the username of someone who is trying to login even before they have correctly entered their password.

This hacker from China most think my router is a *NIX box.
scarface
20 posts
31 Jan 2010 at 2:18 p.m. UTC

Had the same problem a few times. Mostly the Chinese are trying to access the router.

An ACL on the VTY is really necessary.

The IOS has a feature where you can block the VTY access for a defined time the wrong user/pass is typed in. But I can't remember the commands for it, sorry.

stretch
100 posts
31 Jan 2010 at 4:47 p.m. UTC

Check this out: Securing IOS local authentication logins.

And of course, use only strong passwords.
sacox31s
20 posts
1 Feb 2010 at 3:23 a.m. UTC

Interesting, good blog post. I'll have to implement that.
luismg
32 posts
2 Feb 2010 at 10:29 a.m. UTC

and remember clear line vty 0

always acl, and strong passwords.
Evan
6 posts
2 Feb 2010 at 11:24 a.m. UTC

I good way to secure your router would be to utilise the Cisco CBAC firewall feature and you can essentially make yourself invisible on the internet. At home I have an Cisco 1841 router connected to my cable modem.

A good way to test any vulnerabilities or open ports that adertise your router to the world would be to use Shields Up. Once you have read the instructions click on "proceed" and choose the "all service ports" option (1 - 1024). You will then be scanned for all the ports you are adverising on the internet and advised.

With CBAC I am invisible on the internet and my router will not respond to any requests unless I choose to do so and from where.

sacox31s
20 posts
3 Feb 2010 at 1:55 a.m. UTC

@Evan, I am using CBAC on my router. However my router is listening on port 22 for SSH because I have permitted it on my internet side ACL. I like to be able to connect to my router remotely. My VTY ACL will keep this minor problem from happening again. I don't think it is possible for anyone to gain access to this router by brute force. They'll have a hard enough time just finding out my username.
the_ios_inquisition
2 posts
7 Feb 2010 at 10:53 p.m. UTC

It's also helpful to change the default ports for all of your access protocols. Ideally you would only want to use ssh v2 for all of your equipment.
Brannen
4 posts
10 Feb 2010 at 4:05 p.m. UTC

Unless you need to talk to China, why not simply put in an ACL to drop 119/8 or a route map to black hole them?

  • Brannen
sacox31s
20 posts
11 Feb 2010 at 3:29 a.m. UTC

Brannen, I would do that but then I wouldn't receive my weekly communist newsletter. Just kidding, if you look at the 2nd post in this thread you'll see that I did implement an ACL.

Viewing 1 - 12 of 12