Let's Finally "Nail" This Port 5000 Traffic - Synology owners needed.

Published: 2014-03-26
Last Updated: 2014-03-26 15:20:18 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

We have written a couple diaries about port 5000 traffic, and received plenty of packet captures. But we still need to get all the pieces together to see what the "end game" is with these attacks. Here is what I found so far from our honeypot:

- a lot of the port 5000 traffic is spoofed.

I do receive "SYNs" from an IP, and my honeypot responds with a SYN-ACK, but then I get a reset back with a very different TTL.

- the once that connect, send a couple different requests (a.b.c.d is the address of the honey pot)

GET / HTTP/1.1
Accept-Encoding: identity
Host: a.b.c.d:5000
 
GET /robots.txt HTTP/1.1
Accept-Encoding: identity
Host: a.b.c.d:5000
 
GET / HTTP/1.1
Accept-Encoding: identity
Host: a.b.c.d:5000
 
GET /webman/info.cgi?host= HTTP/1.0
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
 
GET /webman/info.cgi?host= HTTP/1.0
Host: a.b.c.d:5000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
The last two requests point to a Synology vulnerability. But, just like the others, it appears to be more a "Fingerprinting" request trying to figure out if the system is vulnerable.
 
If you have a Synology Diskstation, I would very much appreciate if you could send these requests to the disk station, and send me a packet capture of the response. This way, I can improve my honeypot to respond "correctly". Please let me know what software version you are running.
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: port 5000 synology
6 comment(s)
Full Disclosure Mailing List is back: http://insecure.org/news/fulldisclosure/
ISC StormCast for Wednesday, March 26th 2014 http://isc.sans.edu/podcastdetail.html?id=3907

Comments


Diary Archives