[patriq]

I pulled these samples from 90.149.58.110 - this IP was in my firewall logs scanning port 23

I was thinking it was going to be a LightAidra bot running on a cable modem.. I'm not sure what the device is, its some embedded Linux device..BusyBox, no auth.

Code: Select all

 # cat /proc/cpuinfo 
processor               : 0
cpu model               : MIPS 4KEc V4.8
BogoMIPS                : 124.92
wait instruction        : no
microsecond timers      : yes
extra interrupt vector  : yes
hardware watchpoint     : yes
VCED exceptions         : not available
VCEI exceptions         : not available

Samples were in /var/run (just like lightaidra, also ARM bin in here)

This time I see the binary is packed with UPX.. not sure why they would do this? Its on a device with no AV or anything. Maybe they want to conceal the config? LightAidra you could literally 'strings' and get the server IP, password for IRC #chan, etc.

I unpacked and now I see some interesting, looks like scanner. I see things like:

Code: Select all

/bin/sh
iptables -A INPUT -p tcp --dport 23 -j DROP
/var/run/.zollard/
12345
dreambox
smcadmin
admin
root
nodes

Anyway...samples attached. Usual pass.

FYI - If anyone is telnet into a BusyBox device and you want a quick dirty way to pull a sample from it (busybox sometimes is limited in functions)
setup netcat -l -p 4321 on your end, and nc yourserver.com 4321 < file
dont forget to check the md5. after transfer.