During troubleshooting of some VPN connection issues, I was running a traffic dump session on the Ecessa PowerLink. I noticed some unusual SSH traffic going to the internal VPN router. When I entered in “show users” at the command line of the router, it showed myself and someone using “root” connected. The IP address of the “root” user was an external IP address. I performed a “whois” on the IP address. It appeared to be originating from St. Louis Missouri. [more]
I talked to another engineer about this and after some investigation and testing, it turns out that when a person is trying to connect to a Cisco device, the show users output will show whatever username is being utilized. I verified this by connecting to the same router and typing it “admin” at the username prompt. The show users output showed the name admin.