There are few ways to trace that, but provided the unauthorised users did not erase his/her footprint/trail.
# Router log
If local log is enabled (buffer logging - depend on logging level as well), check if you can find any entries of successful login, config modification and so on. But this will be useless if the person cleared the log right before he/she logged out.
If you have external syslog server, check the logs from there.
# Config update/changes
Compare current router config with the last one you saved. Verify any differences. You probably found some unfamiliar entries there if the hackers modify it.
Issue 'sh run' and check who made the last changes on what time/date. But bear in mind that some hackers might not changed/modify anything. They just went in and copy out the config. Example:
Current configuration : 11865 bytes
! Last configuration change at 04:10:58 GMT+1 Thu Dec 7 2006 by xxxxxx-user --> unknown to you!
! NVRAM config last updated at 04:41:22 GMT+1 Sun Nov 5 2006 by xxxxxx-user -->
# Check who's online
Issue 'who' or 'sh user' to check current users (& the source IP) accessing your router. But this is only applicable if the unknown user is still there.
Below are some links on securing/improving Cisco router security:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :