1-1 of 1 results (1 page)
Linksys "The Moon" Worm
Dest. port: 8080
Time: 03/06/2020 05:50:11
ASN/ISP: AS49335 LLC Server v arendy
Location: Moscow, Moscow
The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:
1.0.07 build 1
Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random "admin" credentials but they are not checked by the script. This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary.
Once this code runs, the infected router appears to scan for other victims.
CVE-2002-2159 , CVE-2008-1247 , CVE-2008-1268 , CVE-2008-4594 , CVE-2009-3341 , CVE-2010-1573 , CVE-2010-2261 , CVE-2008-0228
POST /tmUnblock.cgi HTTP/1.1
accept-encoding: gzip, deflate