A surge in activity has been detected1
If possible, please block the following URL’s on any firewalls:
- http://5.8.65.5/1
- http://5.8.65.5/2
- http://l.ocalhost.host/1
- http://l.ocalhost.host/2
- http://l.ocalhost.host/3
- http://l.ocalhost.host/x.sh
- http://p.ocalhost.host/x.sh
- http://timeserver.host/1
- http://ntp.timerserver.host/1
- http://tr069.pw/1
- http://tr069.pw/2
Recommendation
If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will “clean” the router until it is infected again. But given that the host name used no longer resolved, new infections should stop until the host name is changed again.2
Further Reading
- bløgg.no: TCP/7547 on the rise
- Ars Technica: Newly discovered router flaw being hammered by in-the-wild attacks
- Check Point: The Internet of TR-069 Things: One Exploit to Rule Them All [pdf]
- Check Point: Too Many Cooks – Exploiting the Internet of TR-069 Things [pdf]
References
2SANS ISC: Port 7547 SOAP Remote Code Execution Attack Against DSL Modems