Hello, welcome to the Tuesday, November 12, 2019 edition of the Sansonet Storms and a Stormcast.

My name is Johannes Ulrich, Entertainment, recording from Jacksonville, Florida.

Got sort of a flashback from back in 2014 today.

A reader asked us why they're seeing all these attacks that trigger the

moon signature in their IDS. Well, the moon was a warm that we described back in 2014. It attacked

Lynx's routers.

Now the signature that's commonly triggered here and that's still triggered today,

triggers on a particular exploit that the moon warm used back then.

Now since then of course things have evolved a little bit.

The exploit has changed slightly, but it still triggers these old signatures.

They essentially just look for the TM unplug.c.c.c.i. and then the TTCPIP parameter

that triggers this particular vulnerability.

Like so, many exploits, this one has been included in a bot that uses multiple exploits against

routers.

It identifies itself with the user agent Licker 1.0.

Now, the real question, of course, here is, is it a problem for you how serious are these attacks?

They essentially will hit any web server listening on Port 80.

80, whether or not the web server is verbal or not.

The signature itself just detects the attempt, as the message also says, not necessarily a successful attempt. Most likely you'll get

a 404 error back because this TM unblocked CGI script only exists in specific Lenses routers.

If you have one of those Lenses routers, well, I hope you patched it in the last five years.

Otherwise, it's probably long gun and compromised.

...