[get complete service list]
Port Information
Protocol Service Name
tcp TR069 Router Remote Admin
tcp cwmp Broadband Forum CWMP
udp cwmp Broadband Forum CWMP
Top IPs Scanning
Today Yesterday (2825) (3370) (1692) (2776) (1475) (2067) (1144) (2046) (1102) (1824) (852) (1372) (849) (1370) (845) (1348) (564) (1020) (418) (1014)
Port diary mentions
Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
TR-069 NewNTPServer Exploits: What we know so far
Does it matter if iptables isn't running on my honeypot?
User Comments
Submitted By Date
2016-12-03 01:49:23
SOAP attack against some routers. See https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759/
Johannes 2016-11-29 00:13:52
See article about Mirai variant exploiting this vulnerability: https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759/1#38415
2016-11-29 00:12:00
The last 2 days, I've seen a tremendous increase of scans against 7547/tcp on 4 different and independent firewalls on 4 different ISPs. Those firewalls are strict and will quickly block offending IP addresses, so I can't say much about the persistence. But there are each day 200-400 hosts trying to connect to each of these firewalls each day now.
2016-11-29 00:11:56
Just seen a huge spike in scans on 7547 against my networks, commencing at exactly 261400Z Nov 26.
2016-11-29 00:11:51
Misfortune Cookie CVE-2014-9222 "A serious vulnerability in an embedded Web server used by many router models from different manufacturers allows remote attackers to take control of affected devices over the Internet." http://www.pcworld.com/article/2861232/vulnerability-in-embedded-web-server-exposes-millions-of-routers-to-hacking.html
CVE Links
CVE # Description