You might have heard “Mirai botnet” before, for a further explanation we have published an article dedicated just for this:
https://bitninja.com/blog/cyberstorm-from-argentina-mirai-botnet-attack/
https://bitninja.com/blog/cyberstorm-from-argentina-mirai-botnet-attack/
Because of the request pattern, the time gap, and the huge number of dynamic addresses, we think the backbone of this botnet mainly consists of routers and other IoT devices. And with high probability, it was caused by a variant of Mirai botnet, because as you know, these infected devices are often captured by Telnet Port Honeypots as well.
Below you can see an example, how it looks like in real life :
Date: 2018-01-17 16:00:54
Attacker ip: 201.69.144.84
{ "PORT HIT": "201.69.144.84:42520->84.2.35.143:23",
"MESSAGES": "Array
( [16:00:22] => cat /proc/mounts; (/bin/busybox AYUCX || :) )
"}
Date: 2017-11-14 12:11:17
Attacker ip: 201.69.144.84
{ "PORT HIT": "201.69.144.84:35083->72.14.190.102:23",
"MESSAGES": "Array ( [11:10:42] => cat /proc/mounts; (/bin/busybox PVOHL || :) )
"}