"Hacking Millions of Modems (and Investigating Who Hacked My Modem)" by Sam Curry aka samyco

Other

Two years ago, something very strange happened to me while working from my home network. I was exploiting a blind XXE vulnerability that required an external HTTP server to smuggle out files, so I spun up an AWS box and ran a simple Python webserver to receive the traffic from the vulnerable server: python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... Once the webserver was running, I sent a cURL request from my home computer to make sure that it could receive external HTTP requests: curl "http://54.156.88.125:8000/test123" Just a few seconds later, I saw the following log: 98.161.24.100 - [16:32:12] "GET /test123 HTTP/1.1" Perfect, this meant that I was able to receive network traffic on the box. Everything seemed good to go, but right as I switched back to exploiting the vulnerability, something very unexpected appeared in my log file: 98.161.24.100 - [16:32:12] "GET /test123 HTTP/1.1" 159.65.76.209 - [16:32:22] "GET /test123 HTTP/1.1" An unknown IP address had replayed the exact same HTTP request just 10 seconds later. "Wow, that’s seriously weird," I thought. Somewhere, between my home network and the AWS box, someone had intercepted and replayed my HTTP traffic. This traffic should not be accessible. There is no intermediary between these two systems who should be seeing this. My immediate thought was that my computer had been hacked and that the hacker was actively monitoring my traffic. To check if the same behavior occured on a different device, I pulled out my iPhone and typed in the URL into Safari. I sent the request, then peaked at my log file: 98.161.24.100 - [16:34:04] "GET /uhhhh HTTP/1.1" 159.65.76.209 - [16:34:16] "GET /uhhhh HTTP/1.1" The same unknown IP address had intercepted and replayed both HTTP requests from my computer and iPhone. Somehow, someone was intercepting and replaying the web traffic from likely every single device on my home network. Panicked, I spun up a new AWS box running Nginx to make sure that the original instance hadn't been compromised somehow. sudo service nginx start tail -f /var/log/nginx/access.log I opened the URL once again from my iPhone and saw the exact same logs: 98.161.24.100 - [16:44:04] "GET /whatisgoingon1234 HTTP/1.1" 159.65.76.209 - [16:44:12] "GET /whatisgoingon1234 HTTP/1.1" Through what could only be my ISP, modem, or AWS being compromised, someone was intercepting and replaying my HTTP traffic immediately after I'd sent it. To eliminate the absurd idea that AWS had been compromised, I spun up a box on GCP instead and observed the same unknown IP address replaying my HTTP requests. It wasn’t AWS. The only real option left was that my modem had been hacked, but who was the attacker? I queried the owner of the IP address and found that it belonged to DigitalOcean. Strange. That definitely didn't belong to my ISP.