C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F

A surge in activity has been detected1 2 of exploits targeting TR-0693, dubbed Misfortune Cookie4. This attack is aimed at home DSL routers commonly issued by ISP’s.

If possible, please block the following URL’s on any firewalls:

  • http://5.8.65.5/1
  • http://5.8.65.5/2
  • http://l.ocalhost.host/1
  • http://l.ocalhost.host/2
  • http://l.ocalhost.host/3
  • http://l.ocalhost.host/x.sh
  • http://p.ocalhost.host/x.sh
  • http://timeserver.host/1
  • http://ntp.timerserver.host/1
  • http://tr069.pw/1
  • http://tr069.pw/2

Recommendation

If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will “clean” the router until it is infected again. But given that the host name used no longer resolved, new infections should stop until the host name is changed again.2

Further Reading

References

1SANS ISC: Port 7547 Activity

2SANS ISC: Port 7547 SOAP Remote Code Execution Attack Against DSL Modems

3broadband forum: TR-069 – CPE WAN Management Protocol

4CVE-2014-9222