Blast From the Past: D-Link Probes in the HITME

We got a few scans for an old D-Link router vulnerability that dates back to 2009. It’s interesting to me how long scanning signatures live in online malware and scanning tools. This has lived for quite a while. 

Here are the catches from a HoneyPoint Personal Edition I have deployed at home and exposed to the Internet. Mostly, this is just to give folks looking at the scans in their logs an idea of what is going on. (xxx) replaces the IP address… 

2013-10-02 02:46:13 – HoneyPoint received a probe from 71.103.222.99 on port 80 Input: GET /HNAP1/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) WebWasher 3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxx/ Authorization: Basic YWRtaW46dWA+NXhZQlU1d2VR Connection: keep-alive

2013-10-02 03:22:13 – HoneyPoint received a probe from 71.224.194.47 on port 80 Input: GET /HNAP1/ HTTP/1.1 Host: xxxx User-Agent: Opera/6.x (Linux 2.4.8-26mdk i686; U) [en] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxx/ Authorization: Basic YWRtaW46InkwYi4qMF5wL05G Connection: keep-alive

This probe is often associated with vulnerable D-Link routers, usually older ones, those made between 2006 and mid-2010. The original release and proof of concept exploit tool is here. The scan has also been embedded into several scanning tools and a couple of pieces of malware, so it continues to thrive.

Obviously, if you are using these older D-Link routers at home or in a business, make sure they are updated to the latest firmware, and they may still be vulnerable, depending on their age. You should replace older routers with this vulnerability if they can not be upgraded. 

The proof of concept exploit also contains an excellent doc that explains the HNAP protocol in detail. Give it a read. It’s dated, but remains very interesting.

PS – As an aside, I also ran the exploit through VirusTotal to see what kind of detection rate it gets. 0% was the answer, at least for that basic exploit PoC. 

Just a Reminder, SIP is a Popular Scanning Target

I just wanted to give you a quick reminder that SIP scanning remains quite popular on the Internet. These probes can lead to compromise and fraud against your VoIP systems. Make sure you do not have VoIP systems exposed to the Internet without proper controls. If you review your logs on the Internet perimeter, SIP scans will look similar to this:

This was captured from the HITME using HoneyPoint Personal Edition.

2013-09-30 17:02:18 – HoneyPoint received a probe from 207.127.61.156 on port 23

Input: OPTIONS sip:nm SIP/2.0

Via: SIP/2.0/TCP nm;branch=foo

From: <sip:nm@nm>;tag=root

To: <sip:nm2@nm2>

Call-ID: 50000

CSeq: 42 OPTIONS

Max-Forwards: 70

Content-Length: 0

Contact: <sip:nm@nm>

Accept: application/sdp

Keep an inventory of your VoIP exposures. They remain a high area of interest for attackers.

SNMP Scans

We have noticed, and noticed around the net that there has been a sharp increase in SNMP port scans. No doubt this is due to the recent vulnerability and exploit code released. If you happen to be running SNMP exposed on your external network (something that should be discouraged), it would be a very good idea to update those devices, and also block those ports or restrict access if they do not absolutely need to be exposed.