• Advertisement

Suggestion: bots scanning for vulnerable Netis routers

Suggestion: bots scanning for vulnerable Netis routers

Postby magick » 29. Jul 2016, 10:26


http://blog.trendmicro.com/trendlabs-se ... -backdoor/
see also https://netisscan.shadowserver.org/ <- suggets whitelist these folks

Number of unique IPs probing:

1935 seen on a London server, 1903 from a server in Frankfurt (in the ~4 days covered by my /var/log/messages)

Proportion of these unique IPs not known to blocklist.de:

root@debian:~# fwlogwatch -Eipd53413 |grep from.*to |awk {'print $4'} | sort -u | wc -l
root@debian:~# fwlogwatch -Eipd53413 |grep from.*to |awk {'print $4'} | sort -u > bots53413
root@debian:~# curl --silent https://lists.blocklist.de/lists/all.txt | sort -u > blde_all
root@debian:~# comm -23 bots53413 blde_all | wc -l

Geographical dispersal:

root@debian:~# rm -f /dev/shm/out; cat bots53413 | while read ip; do c=`geoiplookup $ip|grep "Country"|cut -d \, -f 1|awk {'print $4'}`; mkdir -p /dev/shm/53413/$c; touch /dev/shm/53413/$c/$ip; done; for ccdir in `find /dev/shm/53413 -maxdepth 1`; do count=`find $ccdir -maxdepth 1 -type f | wc -l`; cc=`echo $ccdir | cut -d \/ -f 5`; echo "$cc: $count" >> /dev/shm/out; done; cat /dev/shm/out | sort -k2 -nr;
VN: 313
BR: 243
TW: 206
KR: 193
RU: 123
CN: 111
RO: 73
TR: 68
UA: 66
IN: 53
US: 51
CO: 46
MX: 39
PL: 28
AR: 28
CL: 18
FR: 17
BG: 17
ID: 16
KH: 13
HU: 13
ES: 12
HK: 11
GB: 10
IL: 9
VE: 8
IR: 8
PH: 7
MY: 7
IT: 7
BD: 7
AM: 7
TH: 6
PA: 6
UY: 5
AL: 5
SG: 4
PK: 4
MK: 4
CA: 4
TN: 3
QA: 3
PY: 3
PR: 3
KZ: 3
JO: 3
CZ: 3
ZA: 2
SE: 2
RS: 2
NL: 2
MO: 2
MD: 2
LV: 2
JP: 2
IP: 2
GR: 2
GE: 2
EG: 2
EC: 2
DE: 2
SK: 1
SI: 1
PT: 1
NO: 1
MV: 1
MN: 1
MA: 1
LK: 1
LA: 1
KG: 1
IQ: 1
IE: 1
HN: 1
DO: 1
CY: 1
BS: 1
BO: 1
BH: 1
BE: 1
BA: 1

I have not thought in much depth about how to implement this with fail2ban; firewall configurations will be site-specific and may not lend themselves to a fail2ban config for general use. fwlogwatch also supports the use of realtime reporting scripts so whilst I'm not (yet) familiar with the API, if blocklist.de wants reports of these sorts of bots I'm sure it can't be hard to select a sensible subset of persistent hosts and feed them back in.

Probes are widely dispersed and not unduly recursive. Analysis of the last 24h of data based on a single probe yielded 520 unique IPs total, or 983 unique IPs over 48h, or 1464 over 72h, so we're seeing something like 500 new IP addresses per day, suggesting a botnet.

Restricting to the hosts that have probed my particular server twice yields 362 unique IPs last 24h, 693 last 48h, 1037 last 72h, 1410 last 96h (three quarters of them are repeat offenders).

Limiting to hosts that have probed three times yields 16 unique IPs last 24h (< 1% of total 24h probes), 52 last 48h (5.28% of 48h total), 84 last 72h (5.74% of 72h total) or 111 in 4 days (5.74% of 96h total). Thus, repeating but not hammering; ~75% of the unique IPs that are seen once are seen twice (across all timeframes analysed) but < 6% are seen three times (within the logs from 4 days).

Therefore, my suggested reporting criteria would be a count of either 1 or 2 probes to UDP port 53413. Timeframe for the log analysis does not seem to affect the hit rate substantially: 18/24 unique hosts probed twice within one hour, 41/53 probed twice within two hours, 50/68 probed twice within 3 hours, 61/86 within 4 hours or 170/252 within 12 hours. Thus, a count of 2 and a timeframe of 2 hours would look like a fairly safe bet.

However, the analysis of IPs and countries suggests to me that a count of 1 with a whitelist for the "good" scanners wouldn't produce any false positives here, and the sudden spike in firewall activity involves 67% to 77% of infected hosts with count 2 or more and 23% to 33% with count 1. My interpretation (which can be wrong, but this all happened overnight) is that in all probability, either there are two versions of the same worm, or an individual bot is probing only once and the IPs with count 2 or 3 represent multiple infected machines behind a single IP address.

This theory is supported by further log analysis: only 92 unique IP addresses probed 4 or more times in 4 days, 17 addresses 6 or more times, 6 addresses 8 or more times and just 1 address (out of, by now, 1982 total unique IP addresses) 12 or more times. All of this supports a fast moving worm attempting this particular exploit once per IP address only, a minority of them having infections already known to blocklist.de, majority in places with a high count of vulnerable systems and the IP address dispersal suggests (to me) a couple of computers per household. Thus, I would propose listing these particular hosts based on a single probe. Thoughts?
Posts: 3
Joined: 24. Jul 2016, 07:04

Re: Suggestion: bots scanning for vulnerable Netis routers

Postby Martin » 31. Jul 2016, 22:18

Hi Magick,

iam sorry, but i dont read your post complety :-|
But when you have Logfiles for this Type of Attacks, you can send me them and i can lock, in which type of Attack it is on blocklist.de and which x-arf schema is needed and can add them to blocklist.de
Then you can report the Logfiles to us: https://www.blocklist.de/en/download.html#ohnefail2ban
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service
User avatar
Posts: 403
Joined: 14. Sep 2010, 11:54

Return to Wish

Who is online

Users browsing this forum: No registered users and 1 guest

  • Advertisement