HoneyMire Hub

Attack #291281 ssh

Captured 2026-06-29 16:55:29Z by Ka on honeypot LU2 - SERVERS ⬜ docker-edge · firmware 0.1.0.

Session recording

Transcript

Server output and attacker input as captured, line-grain. Malware URLs are obscured until sign-in.

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH
uname=$(uname -s -v -n -m 2>/dev/null || /bin/uname -s -v -n -m 2>/dev/null || /usr/bin/uname -s -v -n -m 2>/dev/null || busybox uname -s -v -n -m 2>/dev/null || ( [ -f /proc/version ] && head -1 /proc/version | cut -d' ' -f1 ) || ( [ -f /etc/os-release ] && grep '^ID=' /etc/os-release | cut -d= -f2 | tr -d '"' ) || echo "")
arch=$(uname -m 2>/dev/null || /bin/uname -m 2>/dev/null || /usr/bin/uname -m 2>/dev/null || busybox uname -m 2>/dev/null || ( [ -f /proc/cpuinfo ] && grep -q "lm" /proc/cpuinfo && echo x86_64 ) || ( [ -f /proc/cpuinfo ] && grep -q "CPU architecture: 8" /proc/cpuinfo && echo aarch64 ) || ( [ -f /proc/cpuinfo ] && grep -q "CPU architecture: 7" /proc/cpuinfo && echo armv7l ) || echo "")
uptime=$(cat /proc/uptime 2>/dev/null || busybox cat /proc/uptime 2>/dev/null)
cpus=$(nproc 2>/dev/null || /usr/bin/nproc 2>/dev/null || busybox nproc 2>/dev/null || grep -c "^processor" /proc/cpuinfo 2>/dev/null)
cpu_model=$( { grep -m1 -E "model name|Hardware" /proc/cpuinfo 2>/dev/null; lscpu 2>/dev/null | grep "Model name"; dmidecode -s processor-version 2>/dev/null; uname -p 2>/dev/null; busybox uname -p 2>/dev/null; } )
gpu_info=$( (lspci 2>/dev/null | grep -i vga; lspci 2>/dev/null | grep -i nvidia; busybox lspci 2>/dev/null | grep -i vga; busybox lspci 2>/dev/null | grep -i nvidia) 2>/dev/null )
last_output=$(last 2>/dev/null)
echo "UNAME:$uname"
echo "ARCH:$arch"
echo "UPTIME:$uptime"
echo "CPUS:$cpus"
echo "CPU_MODEL:$cpu_model"
echo "GPU:$gpu_info"
echo "LAST:$last_output"
-bash: export: command not found
-bash: (: command not found
)
arch=x86_64
-bash: (: command not found
)
uptime=cat: /proc/uptime: No such file or directory cat: /proc/uptime: No such file or directory
cpus=2
cpu_model=-bash: {: command not found Model name: Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz -bash: dmidecode: command not found unknown unknown -bash: }: command not found
gpu_info= )
last_output=
echo UNAME:$uname
echo ARCH:$arch
echo UPTIME:$uptime
echo CPUS:$cpus
echo CPU_MODEL:$cpu_model
echo GPU:$gpu_info
echo LAST:$last_output

Credentials

Username: root

Password: password

1 login attempt(s) before disconnect.

Geolocation hub-resolved

🇺🇸United States · Texas · Dallas

Unmanaged LTD · AS47890 UNMANAGED LTD · 32.78,-96.80

Network: unknown · Unmanaged LTD · geoip · low confidence

Behavioral classification

🦠 80% confidence

Mirai-family IoT botnet — wget + chmod + exec; tries common router/IP-cam credentials.

Matched signals:

• BusyBox probing
• default router/NVR credentials
• marker echo bytes

Command summary

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH
uname=$(uname -s -v -n -m 2>/dev/null || /bin/uname -s -v -n -m 2>/dev/null || /usr/bin/uname -s -v -n -m 2>/dev/null || busybox uname -s -v -n -m 2>/dev/null || ( [ -f /proc/version ] && head -1 /proc/version | cut -d' ' -f1 ) || ( [ -f /etc/os-release ] && grep '^ID=' /etc/os-release | cut -d= -f2 | tr -d '"' ) || echo "")
arch=$(uname -m 2>/dev/null || /bin/uname -m 2>/dev/null || /usr/bin/uname -m 2>/dev/null || busybox uname -m 2>/dev/null || ( [ -f /proc/cpuinfo ] && grep -q "lm" /proc/cpuinfo && echo x86_64 ) || ( [ -f /proc/cpuinfo ] && grep -q "CPU architecture: 8" /proc/cpuinfo && echo aarch64 ) || ( [ -f /proc/cpuinfo ] && grep -q "CPU architecture: 7" /proc/cpuinfo && echo armv7l ) || echo "")
uptime=$(cat /proc/uptime 2>/dev/null || busybox cat /proc/uptime 2>/dev/null)
cpus=$(nproc 2>/dev/null || /usr/bin/nproc 2>/dev/null || busybox nproc 2>/dev/null || grep -c "^processor" /proc/cpuinfo 2>/dev/null)
cpu_model=$( { grep -m1 -E "model name|Hardware" /proc/cpuinfo 2>/dev/null; lscpu 2>/dev/null | grep "Model name"; dmidecode -s processor-version 2>/dev/null; uname -p 2>/dev/null; busybox uname -p 2>/dev/null; } )
gpu_info=$( (lspci 2>/dev/null | grep -i vga; lspci 2>/dev/null | grep -i nvidia; busybox lspci 2>/dev/null | grep -i vga; busybox lspci 2>/dev/null | grep -i nvidia) 2>/dev/null )
last_output=$(last 2>/dev/null)
echo "UNAME:$uname"
echo "ARCH:$arch"
echo "UPTIME:$uptime"
echo "CPUS:$cpus"
echo "CPU_MODEL:$cpu_model"
echo "GPU:$gpu_info"
echo "LAST:$last_output"

Reported to threat intel

none