- Alert on a suspicious connection via ssh to the VTY line of the Cisco ISR 1100 router.
- Logged in to the router, saw an established connection from IP belonging to Chinanet ISP (the router is in Israel) to the port 22. The router was compromised as someone removed ACL from VTY lines. Deleted all local usernames, created new with complex passwords, applied ACL to VTY 0 4, made sure no malicious configuration changes were made. But how do I disconnect the connected attacker without reloading the whole router (applying ACL to block already established connection does not work)?
- See the established connections to the Cisco router:
show tcp brief
TCB Local Address Foreign Address (state) 7F7019F118 126.96.36.199.22 188.8.131.52.14088 FINWAIT1 7F6EEE29D0 184.108.40.206.23 220.127.116.11.44770 ESTAB 7F640A08B0 18.104.22.168.22 22.214.171.124.25021 FINWAIT1 7F70176C98 126.96.36.199.22 188.8.131.52.47365 ESTAB 7F6F6A08E8 184.108.40.206.23 220.127.116.11.43466 FINWAIT1 7F6D8508F8 18.104.22.168.22 22.214.171.124.31052 FINWAIT1 7F701A5898 126.96.36.199.23 188.8.131.52.50138 FINWAIT1 7F6ED4B298 184.108.40.206.23 220.127.116.11.41600 FINWAIT1
18.104.22.168 - Cisco ISR 1100 (sanitized)
22.214.171.124 - My IP (sanitized)
126.96.36.199 - Chinanet ISP (real)
Apply the ACL to the VTY line 0 4 (not shown).
Disconnect the attacker:
clear tcp tcb TCB id
Here: clear tcp tcb 7F70176C98
#clear tcp tcb 7F70176C98 [confirm] [OK]
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.