Reply to post: Is that the one I noticed this morning?

Mikrotik routers pwned en masse, send network data to mysterious box

bombastic bob Silver badge

Is that the one I noticed this morning?

Since June there have been a number of requests for '/login.cgi' in my web logs (several hundred) with an obvious code injection exploit in the URL, that wget's a file on a server with a specific IP address (several of these observed, looks like they change periodically) which then loads a binary image for MIPS or ARM processors [as appropriate] into /tmp or one of several other directories that it might be able to download something into...

in any case the script it first downloads is called '' . I reported my logs and findings to several ISPs who either hosted the machines doing the request, or WERE the host for the downloading.

Not sure if this is the same one the article talks about, but the one I saw has been around since June (according to my logs) and always tries to download that script file which then attempts to download the binary into one of several directories, then load/run it. And I think if you disable remote management on your router, this (apparent) virus won't infect it. But it could be a different one, not the one the article is about. I don/t know. So I mention it anyway, just in case. Details are sometimes useful...

Anyway, if you have a web server, look for access attempts for /login.cgi and you'll probably see it (the one I'm talking about). Again, dunno if it's the same as the one in the article, but is similar, probably.

(the first log entry is 15-June at 14:36, in case anybody wonders)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020