9283 8B4A 87FE DC6E C327 EF05 70A8 B78D 1623 3FB5

A surge in activity has been detected1 2 of exploits targeting TR-0693, dubbed Misfortune Cookie4. This attack is aimed at home DSL routers commonly issued by ISP’s.

If possible, please block the following URL’s on any firewalls:

  • http://5.8.65.5/1
  • http://5.8.65.5/2
  • http://l.ocalhost.host/1
  • http://l.ocalhost.host/2
  • http://l.ocalhost.host/3
  • http://l.ocalhost.host/x.sh
  • http://p.ocalhost.host/x.sh
  • http://timeserver.host/1
  • http://ntp.timerserver.host/1
  • http://tr069.pw/1
  • http://tr069.pw/2

Recommendation

If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will “clean” the router until it is infected again. But given that the host name used no longer resolved, new infections should stop until the host name is changed again.2

Further Reading

References

1SANS ISC: Port 7547 Activity

2SANS ISC: Port 7547 SOAP Remote Code Execution Attack Against DSL Modems

3broadband forum: TR-069 – CPE WAN Management Protocol

4CVE-2014-9222