Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Strange behavior in ACL- have I been hacked?

I recently noticed a change in the access list for my 2600, which is used as a DSL firewall. I'm seeing IP addresses permitted that I didn't enter. When I try to either reload the ACL or deny those addresses, they get repopulated. Here's the ACL as stored in a text file:

no access-list 102

access-list 102 permit tcp any host 65.184.57.73 established

access-list 102 permit tcp 216.227.56.120 65.184.57.73 any

access-list 102 permit tcp 65.187.0.151 65.184.57.73 any

access-list 102 permit tcp any host 172.17.0.0 established

access-list 102 permit tcp 216.227.56.120 172.17.0.0 any

access-list 102 permit tcp 65.187.0.151 172.17.0.0 any

access-list 102 permit udp 216.227.56.120 172.17.0.0 any

access-list 102 permit udp 65.187.0.151 172.17.0.0 any

access-list 102 permit udp 216.227.56.120 65.184.57.73 any

access-list 102 permit udp 65.187.0.151 65.184.57.73 any

access-list 102 permit udp host 65.184.57.73 any eq 44444

access-list 102 permit udp host 65.184.57.73 any eq isakmp

access-list 102 permit esp host 65.184.57.73 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any redirect

access-list 102 permit icmp any any administratively-prohibited

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any source-quench

access-list 102 permit icmp any any unreachable

access-list 102 deny icmp any any log

access-list 102 deny ip 10.0.0.0 0.255.255.255 any log

access-list 102 deny ip 172.16.0.0 0.15.255.255 any log

access-list 102 deny ip 192.168.0.0 0.0.255.255 any log

access-list 102 deny ip host 65.184.57.73 any log

And here's what I get with a show run command immediately after entering the above commands:

Extended IP access list 102

permit tcp any host 65.184.57.73 established

permit tcp 152.67.0.48 65.184.57.73 any

permit tcp 0.3.0.150 65.184.57.73 any

permit tcp any host 172.17.0.0 established

permit tcp 80.226.56.120 172.17.0.0 any

permit tcp 65.170.0.151 172.17.0.0 any

permit udp 80.226.56.120 172.17.0.0 any

permit udp 65.170.0.151 172.17.0.0 any

permit udp 152.67.0.48 65.184.57.73 any

permit udp 0.3.0.150 65.184.57.73 any

permit udp host 65.184.57.73 any eq 44444

permit udp host 65.184.57.73 any eq isakmp

permit esp host 65.184.57.73 any

permit icmp any any echo-reply

permit icmp any any redirect

permit icmp any any administratively-prohibited

permit icmp any any time-exceeded

permit icmp any any source-quench

permit icmp any any unreachable

deny icmp any any log

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip host 65.184.57.73 any log

What's going on here? Even if I reload the router from tftp, I still get the same scenario, same addresses. Have I been hacked or is something else going on?

I'm relatively green about the finer points of router security...

Thanks!

Charlie Kaiser

1 REPLY
Silver

Re: Strange behavior in ACL- have I been hacked?

Try changing your enable password. Setup SNTP to display when your configuration was changed last. Make sure you remove all your access-list lines and re-enter them.

90
Views
0
Helpful
1
Replies
CreatePlease to create content