Attack #291794 · HoneyMire Hub

Attack #291794 telnet

Captured 2026-06-29 18:39:44Z by Ka on honeypot LU2 - SERVERS ⬜ docker-edge · firmware 0.1.0.

Source146.190.31.68:42671

Target port23

Authenticatedyes

Commands18

Duration33.9s

Session recording

Loading session…

Transcript

Server output and attacker input as captured, line-grain. Malware URLs are obscured until sign-in.

OpenWrt BARRIER BREAKER 14.07 r42625

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |
 |   -   ||  _  |  -__|     ||  |  |  ||   _||  |
 |_______||   __|_____|__|__||________||__|  |__|
 |  _  | |  |  W I R E L E S S    F R E E D O M
 | | | | |  |  BARRIER BREAKER (14.07, r42625)
 |_|_|_|_|__|_|_____________________________

OpenWrt:~# sh
OpenWrt:~# >/tmp/.ptmx && cd /tmp/
OpenWrt:/tmp# >/var/tmp/.ptmx && cd /var/tmp/
OpenWrt:/var/tmp# >/var/run/.ptmx && cd /var/run/
OpenWrt:/var/run# >/dev/shm/.ptmx && cd /dev/shm/
OpenWrt:/dev/shm# >/run/.ptmx && cd /run/
OpenWrt:/run# >/jffs/.ptmx && cd /jffs/
OpenWrt:/jffs# >/jffs2/.ptmx && cd /jffs2/
OpenWrt:/jffs2# >/mnt/jffs2/.ptmx && cd /mnt/jffs2/
OpenWrt:/mnt/jffs2# >/overlay/.ptmx && cd /overlay/
OpenWrt:/overlay# >/nvram/.ptmx && cd /nvram/
OpenWrt:/nvram# >/var/.ptmx && cd /var/
OpenWrt:/var# >/mnt/.ptmx && cd /mnt/
OpenWrt:/mnt# >/mnt/mtd/.ptmx && cd /mnt/mtd/
OpenWrt:/mnt/mtd# /bin/busybox rm -rf dvrHelper tbot
OpenWrt:/mnt/mtd# /bin/busybox cp /bin/busybox dvrHelper; >dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox HolyFuck
HolyFuck: applet not found
OpenWrt:/mnt/mtd# /bin/busybox cat /bin/busybox || while read i; do echo $i; done < /bin/busybox
cat: /bin/busybox: No such file or directory
while: not found
do: not found
done: not found
OpenWrt:/mnt/mtd# /bin/busybox HolyFuck
HolyFuck: applet not found
OpenWrt:/mnt/mtd#

Credentials

Username: system

Password: shell

3 login attempt(s) before disconnect.

Geolocation hub-resolved

🇳🇱The Netherlands · North Holland · Amsterdam

DigitalOcean, LLC · AS14061 DigitalOcean, LLC · 52.35,4.94

Network: cdn · DigitalOcean · Content · peeringdb · medium confidence

Behavioral classification

🦠 80% confidence

Mirai-family IoT botnet — wget + chmod + exec; tries common router/IP-cam credentials.

Matched signals:

chmod/exec chain
BusyBox probing

Command summary

sh
>/tmp/.ptmx && cd /tmp/
>/var/tmp/.ptmx && cd /var/tmp/
>/var/run/.ptmx && cd /var/run/
>/dev/shm/.ptmx && cd /dev/shm/
>/run/.ptmx && cd /run/
>/jffs/.ptmx && cd /jffs/
>/jffs2/.ptmx && cd /jffs2/
>/mnt/jffs2/.ptmx && cd /mnt/jffs2/
>/overlay/.ptmx && cd /overlay/
>/nvram/.ptmx && cd /nvram/
>/var/.ptmx && cd /var/
>/mnt/.ptmx && cd /mnt/
>/mnt/mtd/.ptmx && cd /mnt/mtd/
/bin/busybox rm -rf dvrHelper tbot
/bin/busybox cp /bin/busybox dvrHelper; >dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox HolyFuck
/bin/busybox cat /bin/busybox || while read i; do echo $i; done < /bin/busybox
/bin/busybox HolyFuck

Reported to threat intel

none

HoneyMire Hub · open feed: / · API: /api · docs: /docs · blocklists: /blocklists · about: /about · firmware: github.com/HoneyMire/HoneyMire