1-1 of 1 results (1 page)
Linksys "The Moon" Worm
Dest. port: 80
Time: 11/02/2019 20:55:16
ASN/ISP: AS16276 OVH SAS
Location: Hauts-de-France, Gravelines (zipcode 59820)
The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:
1.0.07 build 1
Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random "admin" credentials but they are not checked by the script. This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary.
Once this code runs, the infected router appears to scan for other victims.
CVE-2002-2159 , CVE-2008-1247 , CVE-2008-1268 , CVE-2008-4594 , CVE-2009-3341 , CVE-2010-1573 , CVE-2010-2261 , CVE-2008-0228
POST /HNAP1/ HTTP/1.0
accept-encoding: deflate, gzip, identity
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
<?xml version="1.0" encoding="utf-8"?>