Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

'show users' lists unknown usernames!!

I was doing my thing and lost connection in one terminal so I did a 'show users' to clear the line I just dropped. What I saw was very scary:

Router#sh run | i user

username user1 privilege 15 secret 5

username user2 privilege 15 secret 5

username user3 privilege 15 secret 5

Router#sh users

Line User Host(s) Idle Location

2 vty 0 leroy123 idle 00:00:03 118.85.105.34

4 vty 2 a idle 00:00:03 118.85.105.34

* 6 vty 4 user1 idle 00:00:00 mybox.domain.com

Interface User Mode Idle Peer Address

Se1/0 Sync PPP 00:00:00 192.168.57.2

Router#sh users

Line User Host(s) Idle Location

2 vty 0 a idle 00:00:02 118.85.105.34

3 vty 1 maggot idle 00:00:02 118.85.105.34

* 6 vty 4 user1 idle 00:00:00 mybox.domain.com

Interface User Mode Idle Peer Address

Se1/0 Sync PPP 00:00:00 192.168.57.2

Router#sh users

Line User Host(s) Idle Location

2 vty 0 a idle 00:00:02 118.85.105.34

3 vty 1 maggot123 idle 00:00:02 118.85.105.34

* 6 vty 4 user1 idle 00:00:00 mybox.domain.com

Interface User Mode Idle Peer Address

Se1/0 Sync PPP 00:00:00 192.168.57.2

Router#sh users

Line User Host(s) Idle Location

2 vty 0 a idle 00:00:03 118.85.105.34

3 vty 1 a idle 00:00:03 118.85.105.34

* 6 vty 4 user1 idle 00:00:00 mybox.domain.com

Interface User Mode Idle Peer Address

Se1/0 Sync PPP 00:00:00 192.168.57.2

As you can see the usernames change frequently. I don't have any kind of external authentication... only local usernames. The IP address is from APNIC and I don't have any associations with anyone in China. What in the world is going on?

EDIT:Well, I scared myself. Looks like it was just an SSH bruteforce attack. They stopped when I added an access-list to block them.

1 REPLY
New Member

Re: 'show users' lists unknown usernames!!

I don't know where you applied your ACLs, but you might want to ensure you have ACLs on your VTY lines and on your SNMP RO/RW access.

1061
Views
0
Helpful
1
Replies