2019-10-27
Attempts to hack digital video recorders over http via the nntp port
Sometimes you really wonder about the amount of errors made by noisy attacks. I noticed the following pattern in the system logs:nnrpd[7029]: 189.243.177.73 unrecognized Accept-Encoding: identity nnrpd[7029]: 189.243.177.73 unrecognized Content-Length: 586 nnrpd[7029]: 189.243.177.73 unrecognized Accept-Language: en-us nnrpd[7029]: 189.243.177.73 unrecognized Host: 74.219.111.25 nnrpd[7029]: 189.243.177.73 unrecognized Accept: */* nnrpd[7029]: 189.243.177.73 unrecognized User-Agent: ApiTool nnrpd[7029]: 189.243.177.73 unrecognized Connection: close nnrpd[7029]: 189.243.177.73 unrecognized Cache-Control: max-age=0 nnrpd[7029]: 189.243.177.73 unrecognized Content-Type: text/xml nnrpd[7029]: 189.243.177.73 unrecognized Authorization: Basic YWRtaW46ezEyMjEzQkQ...With some searching I eventually found exploit code for certain series of digital video recorders which can be anywhere on the wide Internet. The whole protocol mismatch makes this a lot noisier via the nntp port than via http, but I also see some attempts via the http port. Update: Suricata doesn't recognize the specific attack, but it does notice the HTTP basic auth in the traffic:11/13/2019-20:12:33.772828 [**] [1:2006402:11] ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 188.59.207.57:43753 -> 82.95.196.202:119