Cisco Routers Vulnerability

Keith Medcalf kmedcalf at
Mon Apr 13 23:03:02 UTC 2015

>> It's reported by different customers in different locations so I don't
>> think it's password compromised

>Have you checked?  If the routers had vty access open (ssh or telnet) and
>the passwords were easy to guess, then it's more likely that this was a
>password compromise.  You can test this out by getting a copy of one of
>the configs and decrypting the access password.  Or by asking your customers
>whether their passwords were dictionary or simple words.

or if mayhaps the passwords were listed on the list of passwords discussed a few days ago:

  353040    sshpsycho_passwords.txt

Once a password list gets published the scripties will update their list of password to brute force with all the other password lists they can find.  Hence lists that exceed 353,000 passwords and growing ..

More information about the NANOG mailing list