On Mon, Apr 13, 2015 at 05:03:02PM -0600, Keith Medcalf wrote:
It's reported by different customers in different locations so I don't think it's password compromised
Have you checked? If the routers had vty access open (ssh or telnet) and the passwords were easy to guess, then it's more likely that this was a password compromise. You can test this out by getting a copy of one of the configs and decrypting the access password. Or by asking your customers whether their passwords were dictionary or simple words.
or if mayhaps the passwords were listed on the list of passwords discussed a few days ago: ...
for some reason this brings up following memory of long ago. Had several people notify us in a short period that they all had been watching hackers try the "default cisco password" on several of our downstream customer's gear. Perked my interest when it got to me, umm, what default cisco password? Oh, the hackers were so successful getting in to tons of places that the researchers were watching the hackers connect to everywhere in addition to my downstreams with cisco/cisco that they had assumed it was the default.. (of course, this was long before Cisco shipped some piece of gear that actually did have default passwords (don't remember what any longer first started that)).