Many Cisco routers allow downloading and uploading(!) of configuration files using special SNMP fields in conjunction with FTP/SCP. There are many of these misconfigured routers exposed to the internet and I'd be surprised if they all haven't been backdoored.