54BD 783A 27D2 85C1 C46D 5A02 3651 ADE3 E402 9FC2

A surge in activity has been detected1 2 of exploits targeting TR-0693, dubbed Misfortune Cookie4. This attack is aimed at home DSL routers commonly issued by ISP’s.

If possible, please block the following URL’s on any firewalls:

  • http://l.ocalhost.host/1
  • http://l.ocalhost.host/2
  • http://l.ocalhost.host/3
  • http://l.ocalhost.host/x.sh
  • http://p.ocalhost.host/x.sh
  • http://timeserver.host/1
  • http://ntp.timerserver.host/1
  • http://tr069.pw/1
  • http://tr069.pw/2


If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will “clean” the router until it is infected again. But given that the host name used no longer resolved, new infections should stop until the host name is changed again.2

Further Reading


1SANS ISC: Port 7547 Activity

2SANS ISC: Port 7547 SOAP Remote Code Execution Attack Against DSL Modems

3broadband forum: TR-069 – CPE WAN Management Protocol