RE: Strange authentication attempts

• Previous message: May-Consult: "Re: very weird traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'John Narron' <zeek@cdsinet.net>, incidents@securityfocus.com
Date: Fri, 2 Apr 2004 10:39:23 +0100

John,

I think you are 100% correct.

This look's like a scripted attack on Cayman/Netopia DSL routers,
(or similar kit).

The manual for one of these can be downloaded from :
http://cayman.com/equipment/products/cayman/3000/3300.html

I make this assumption based on the command syntax of the embedded OS
on the Cayman router, which appears to be very similar to the command
syntax used on ATMOS based routers with which I have become very familiar.

Essentially, if the router was configured with no admin password,
which, as far as I can see for the model referred to in the dox
shouldn't happen (but we all know these things *do* happen), then
a telnet to the routers ip would yield an instant CLI with no
authentication, and the following tuples, rather than being auth
attempts most likely represent (as you suggest) commands to the
router CLI.

The command syntax for the CLIs on these types of devices can often
be accessed almost as though it were a directory structure (XML-ists
among you will probably like to call these namespaces).

This is also the case for the Cayman OS (from the manual) :
"The help command lets you display on-line help for SHELL and CONFIG
commands. To display a list of the commands available to you from your
current location within the command line interface hierarchy, enter help. "

This sounds a bit odd, so here's an example based on an ATMOS CLI session,
think of 'help' as a replacement for ls (or dir, if you're that way
inclined)

hax0r@somebox># telnet 192.168.0.1

192.168.0.1> help

ip nat bun ethernet system

192.168.0.1>ip
192.168.0.1>help

ping dhcp version [etc]

192.168.0.1>ping 192.168.0.2
PING - reply from 192.168.0.2

192.168.0.1>

We could have achieved the same thing by typing

192.168.0.1>ip ping 192.168.0.2

from the initial menu.

A telnet session to a CLI like this with no password that then issues
the command 'config system' would match the syntax of the Cayman OS.

Technically the full CLI syntax for the first tuple config/system
would be 'configure system' (See the manual for the syntax notes),
however, the Cayman OS allows the shortening of syntax elements to
their shortest unique representation, so 'config system' will
work just as well.

the next set of commands are attempting to set two passwords
one for user 'admin' and one for user 'user'.

Not so coincidentally, these are the two hardwired user accounts
in the Cayman OS.

After the password commands are issued, we see the double of the
password, again this is characteristic of the Cayman OS as per the
syntax guide. (My ATMOS routers for instance don't ask for any kind
of confirmation on password changes, but then, they'll let you do
it by SNMP, go figure!)

Again, the full syntax would actually be 'set password admin | user',
I'm willing to bet the 'set' part of the command is redundant.
(As is the case on the ATMOS based stuff I have lying round).

Either that, or the script is broken, and even if it came across
an unprotected Cayman (or similar OS) router, it wouldn't work.

I know where I'd put my money.

Also, here is a correlation of Cayman kit being installed by engineers
at customer premises with no passwords (although this is fairly old)
http://www.securiteam.com/securitynews/5UP0A000HC.html

Note that in the write up, the command set used to *set passwords*
to protect the router is unerringly similar to the traces presented,
and consistent with the discussion above.

Of course, it could be something else entirely :-)

> -----Original Message-----
> From: John Narron [mailto:zeek@cdsinet.net]
> Sent: 31 March 2004 16:33
> To: incidents@securityfocus.com
> Subject: Re: Strange authentication attempts
>
>
> In-Reply-To: <20040330164153.5848.qmail@www.securityfocus.com>
>
> I've gathered some new information regarding this incident.
>
> I've been watching port 23 coming in and out of my network
> and captured a session. It appears to be some worm, trojan,
> or script thats seeking out a particular device that allows
> an unauthenticated login, then sets up a username and
> password and saves the configuration. The commands are as follows:
>
> config
> system
> password admin
> 13370n3z
> 13370n3z
> password user
> fawkoffsz
> fawkoffsz
> save
>
> It appears to set up a user named 'admin' with a password of
> '13370n3z', and another user name 'user' with a password of
> 'fawkoffsz'. I'm not sure what kind of device uses these
> sequence of commands, but I'm suspecting some sort of cable
> or DSL router (since a lot of those, still, come with
> unauthenticated logins).

-- >

</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.
joplings.co.uk

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

• Previous message: May-Consult: "Re: very weird traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]