ISC Reader James Lay has captured the mysterious port 5000 traffic and provided us with a copy of the packets and a snort signature. Thanks James! Your awesome! The traffic is scanning TCP port 5000. After establishing a connection it sends "GET /webman/info.cgi?host='" This appears to be a scan for Synology DiskStation Manager installations that are vulnerable to a remote code exection exploit published in October 2013. There is currently a metasploit module available for the vulnerability. Thanks to James for the following snort signature.
alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SERVER-WEBAPP Synology DiskStation Manager Reflected XSS attempt over UPnP"; flow:to_server,established; content:"/webman/info.cgi|3f|host="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, reference:url,www.scip.ch/en/?
Follow me on Twitter: @markbaggett
http://www.sans.org/event/northern-virginia-2014/course/python-for-pen-testers
http://www.sans.org/event/sansfire-2014/course/python-for-pen-testers
|
Mark 81 Posts ISC Handler Mar 6th 2014 |
Thread locked Subscribe |
Mar 6th 2014 8 years ago |
* you're
|
Anonymous |
Quote |
Mar 6th 2014 8 years ago |
Quoting Anonymous:* you're On the same theme. * execution To the 5000 target port incident. Instead of flooding the net with thousands of requests, causing suspicion wouldn't the logical path be target the registered users? I have already voiced my opinion to Synology. To date.. I have seen over 1500 when I would usually see 5 or so. http://www.synology.com/en-global/company/contact_us CVE-2013-6955 and CVE-2013-6987 <== https://www.pcr-online.biz/news/read/synology-issues-fixes-for-dsm-vulnerability/033277 Reference date of article. Another Kudo for James Lay. |
ICI2Eye 52 Posts |
Quote |
Mar 6th 2014 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!