Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hacked Routers

Is their a way to tell if a router has been hacked/compromised? What should you look for?



Re: Hacked Routers

There are few ways to trace that, but provided the unauthorised users did not erase his/her footprint/trail.

# Router log

If local log is enabled (buffer logging - depend on logging level as well), check if you can find any entries of successful login, config modification and so on. But this will be useless if the person cleared the log right before he/she logged out.

If you have external syslog server, check the logs from there.

# Config update/changes

Compare current router config with the last one you saved. Verify any differences. You probably found some unfamiliar entries there if the hackers modify it.

Issue 'sh run' and check who made the last changes on what time/date. But bear in mind that some hackers might not changed/modify anything. They just went in and copy out the config. Example:

Router01#sh run

Building configuration...

Current configuration : 11865 bytes


! Last configuration change at 04:10:58 GMT+1 Thu Dec 7 2006 by xxxxxx-user --> unknown to you!

! NVRAM config last updated at 04:41:22 GMT+1 Sun Nov 5 2006 by xxxxxx-user -->


# Check who's online

Issue 'who' or 'sh user' to check current users (& the source IP) accessing your router. But this is only applicable if the unknown user is still there.

Below are some links on securing/improving Cisco router security:



Re: Hacked Routers

Agree with the above, however, if local logging is enabled but the log is blank that should make you suspicious.

CreatePlease login to create content