Couple of proposals to deal with the above:
- I can remove these accounts on all routers that have WMS installed. Would need to ensure that we have a backup account (user
wms with ssh access and radius).
- I can change these accounts on all rotuers that have WMS to a random password (unqiue to that router).
- I can remove all accounts where the hacker logged in successfully (only WMS). Only leaving radius /
wms user active. The reason is that he probably gained the credentials of any account on a rotuer where he logged in. The wms account is relatively safe as it is ssh key based. I will re-randomise the password for that account anyway.
I would say the best would be to do both 1 and 3. This would still leave non WMS routers as is. Not much I could do about it I think.
To do the above the @NetworkAdmins would need to help me restore access to routers where only radius would then be active. As it would lead to a lot of queries from people as they would lose access to their routers..
I'd like some opinions from people on what to do?