HoneyMire Hub

Attack #291691 telnet

Captured 2026-06-29 18:19:03Z by Ka on honeypot LU2 - SERVERS ⬜ docker-edge · firmware 0.1.0.

Session recording

Transcript

Server output and attacker input as captured, line-grain. Malware URLs are obscured until sign-in.

Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-91-generic x86_64)

 * Documentation:  hxxps://help[.]ubuntu[.]com
 * Management:     hxxps://landscape[.]canonical[.]com
 * Support:        hxxps://ubuntu[.]com/advantage

  System information as of 2408714

  System load:  0.08              Processes:           98
  Usage of /:   23.4% of 19.56GB  Users logged in:     0
  Memory usage: 28%               IP address for eth0: 10.0.0.42
  Swap usage:   0%

0 packages can be updated.
0 updates are security updates.

Last login: Mon Sep  4 09:14:21 2023 from 192.168.1.5
system@ubuntu-server:~$ sh
system@ubuntu-server:~$ >/tmp/.ptmx && cd /tmp/
system@ubuntu-server:/tmp$ >/var/tmp/.ptmx && cd /var/tmp/
system@ubuntu-server:/var/tmp$ >/var/run/.ptmx && cd /var/run/
system@ubuntu-server:/var/run$ >/dev/shm/.ptmx && cd /dev/shm/
system@ubuntu-server:/dev/shm$ >/run/.ptmx && cd /run/
system@ubuntu-server:/run$ >/jffs/.ptmx && cd /jffs/
system@ubuntu-server:/jffs$ >/jffs2/.ptmx && cd /jffs2/
system@ubuntu-server:/jffs2$ >/mnt/jffs2/.ptmx && cd /mnt/jffs2/
system@ubuntu-server:/mnt/jffs2$ >/overlay/.ptmx && cd /overlay/
system@ubuntu-server:/overlay$ >/nvram/.ptmx && cd /nvram/
system@ubuntu-server:/nvram$ >/var/.ptmx && cd /var/
system@ubuntu-server:/var$ >/mnt/.ptmx && cd /mnt/
system@ubuntu-server:/mnt$ >/mnt/mtd/.ptmx && cd /mnt/mtd/
system@ubuntu-server:/mnt/mtd$ /bin/busybox rm -rf dvrHelper tbot
system@ubuntu-server:/mnt/mtd$ /bin/busybox cp /bin/busybox dvrHelper; >dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox HolyFuck
HolyFuck: applet not found
system@ubuntu-server:/mnt/mtd$ /bin/busybox cat /bin/busybox || while read i; do echo $i; done < /bin/busybox
cat: /bin/busybox: No such file or directory
-bash: while: command not found
-bash: do: command not found
-bash: done: command not found
system@ubuntu-server:/mnt/mtd$ /bin/busybox HolyFuck
HolyFuck: applet not found
system@ubuntu-server:/mnt/mtd$ 

Credentials

Username: system

Password: shell

3 login attempt(s) before disconnect.

Geolocation hub-resolved

🇳🇱The Netherlands · North Holland · Amsterdam

DigitalOcean, LLC · AS14061 DigitalOcean, LLC · 52.35,4.94

Network: cdn · DigitalOcean · Content · peeringdb · medium confidence

Behavioral classification

🦠 80% confidence

Mirai-family IoT botnet — wget + chmod + exec; tries common router/IP-cam credentials.

Matched signals:

• chmod/exec chain
• BusyBox probing

Command summary

sh
>/tmp/.ptmx && cd /tmp/
>/var/tmp/.ptmx && cd /var/tmp/
>/var/run/.ptmx && cd /var/run/
>/dev/shm/.ptmx && cd /dev/shm/
>/run/.ptmx && cd /run/
>/jffs/.ptmx && cd /jffs/
>/jffs2/.ptmx && cd /jffs2/
>/mnt/jffs2/.ptmx && cd /mnt/jffs2/
>/overlay/.ptmx && cd /overlay/
>/nvram/.ptmx && cd /nvram/
>/var/.ptmx && cd /var/
>/mnt/.ptmx && cd /mnt/
>/mnt/mtd/.ptmx && cd /mnt/mtd/
/bin/busybox rm -rf dvrHelper tbot
/bin/busybox cp /bin/busybox dvrHelper; >dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox HolyFuck
/bin/busybox cat /bin/busybox || while read i; do echo $i; done < /bin/busybox
/bin/busybox HolyFuck

Reported to threat intel

none