Security Incidents mailing list archives
RE: Strange authentication attempts
From: Steven Trewick <STrewick () joplings co uk>
Date: Fri, 2 Apr 2004 10:39:23 +0100
John, I think you are 100% correct. This look's like a scripted attack on Cayman/Netopia DSL routers, (or similar kit). The manual for one of these can be downloaded from : http://cayman.com/equipment/products/cayman/3000/3300.html I make this assumption based on the command syntax of the embedded OS on the Cayman router, which appears to be very similar to the command syntax used on ATMOS based routers with which I have become very familiar. Essentially, if the router was configured with no admin password, which, as far as I can see for the model referred to in the dox shouldn't happen (but we all know these things *do* happen), then a telnet to the routers ip would yield an instant CLI with no authentication, and the following tuples, rather than being auth attempts most likely represent (as you suggest) commands to the router CLI. The command syntax for the CLIs on these types of devices can often be accessed almost as though it were a directory structure (XML-ists among you will probably like to call these namespaces). This is also the case for the Cayman OS (from the manual) : "The help command lets you display on-line help for SHELL and CONFIG commands. To display a list of the commands available to you from your current location within the command line interface hierarchy, enter help. " This sounds a bit odd, so here's an example based on an ATMOS CLI session, think of 'help' as a replacement for ls (or dir, if you're that way inclined) hax0r@somebox># telnet 192.168.0.1 192.168.0.1> help ip nat bun ethernet system 192.168.0.1>ip 192.168.0.1>help ping dhcp version [etc] 192.168.0.1>ping 192.168.0.2 PING - reply from 192.168.0.2 192.168.0.1> We could have achieved the same thing by typing 192.168.0.1>ip ping 192.168.0.2 from the initial menu. A telnet session to a CLI like this with no password that then issues the command 'config system' would match the syntax of the Cayman OS. Technically the full CLI syntax for the first tuple config/system would be 'configure system' (See the manual for the syntax notes), however, the Cayman OS allows the shortening of syntax elements to their shortest unique representation, so 'config system' will work just as well. the next set of commands are attempting to set two passwords one for user 'admin' and one for user 'user'. Not so coincidentally, these are the two hardwired user accounts in the Cayman OS. After the password commands are issued, we see the double of the password, again this is characteristic of the Cayman OS as per the syntax guide. (My ATMOS routers for instance don't ask for any kind of confirmation on password changes, but then, they'll let you do it by SNMP, go figure!) Again, the full syntax would actually be 'set password admin | user', I'm willing to bet the 'set' part of the command is redundant. (As is the case on the ATMOS based stuff I have lying round). Either that, or the script is broken, and even if it came across an unprotected Cayman (or similar OS) router, it wouldn't work. I know where I'd put my money. Also, here is a correlation of Cayman kit being installed by engineers at customer premises with no passwords (although this is fairly old) http://www.securiteam.com/securitynews/5UP0A000HC.html Note that in the write up, the command set used to *set passwords* to protect the router is unerringly similar to the traces presented, and consistent with the discussion above. Of course, it could be something else entirely :-)
-----Original Message----- From: John Narron [mailto:zeek () cdsinet net] Sent: 31 March 2004 16:33 To: incidents () securityfocus com Subject: Re: Strange authentication attempts In-Reply-To: <20040330164153.5848.qmail () www securityfocus com> I've gathered some new information regarding this incident. I've been watching port 23 coming in and out of my network and captured a session. It appears to be some worm, trojan, or script thats seeking out a particular device that allows an unauthenticated login, then sets up a username and password and saves the configuration. The commands are as follows: config system password admin 13370n3z 13370n3z password user fawkoffsz fawkoffsz save It appears to set up a user named 'admin' with a password of '13370n3z', and another user name 'user' with a password of 'fawkoffsz'. I'm not sure what kind of device uses these sequence of commands, but I'm suspecting some sort of cable or DSL router (since a lot of those, still, come with unauthenticated logins).
-- > </code> The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. joplings.co.uk --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Re: Strange authentication attempts Leif Ericksen (Apr 01)
- <Possible follow-ups>
- RE: Strange authentication attempts Steven Trewick (Apr 02)