{
	"id": "dba4b75d-6526-4fef-8bed-5292fd7ea9b1",
	"created_at": "2026-04-06T00:22:32.381872Z",
	"updated_at": "2026-04-10T03:21:26.387297Z",
	"deleted_at": null,
	"sha1_hash": "ccdeeaa0b46ededb6d528f1c96864d778abc7be0",
	"title": "Another LILIN DVR 0-day being used to spread Mirai",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 417692,
	"plain_text": "Another LILIN DVR 0-day being used to spread Mirai\r\nBy Genshen Ye\r\nPublished: 2020-12-03 · Archived: 2026-04-05 22:31:49 UTC\r\nAuthor: Yanlong Ma, Genshen Ye\r\nBackground Information\r\nIn March, we reported[1] that multiple botnets, including Chalubo, Fbot,\r\nMoobot were using a same 0 day vulnerability to attack LILIN DVR devices, the\r\nvendor soon fixed the vulnerability.\r\nOn August 26, 2020, our Anglerfish honeypot detected that another new LILIN\r\nDVR/NVR 0-day paired with system default credential operxxxx:xxxxx(masked\r\nfor security concern) were used to spread Mirai sample.\r\nOn September 21, 2020, we reported the finding to the Merit LILIN contact, and\r\nthe vendor fixed the vulnerability overnight, and also provided us a firmware fix ver 4.0.26.5618.\r\nImpact devices\r\nThe 360 FirmwareTotal system provides the following firmware list that are\r\nimpacted.\r\nDH032 Firmware v1.0.26.3858.zip\r\nDH032 Firmware v1.0.28.3858.zip\r\nDVR708 Firmware v1.3.4.zip\r\nDVR716 Firmware v1.3.4.zip\r\nDVR816 Firmware v1.3.4.zip\r\nFirmware-DH032-EN.zip\r\nFirmware-DVR708-EN.zip\r\nFirmware-DVR716-EN.zip\r\nFirmware-DVR816-EN.zip\r\nFirmware-NVR100L-EN.zip\r\nFirmware-NVR1400-EN.zip\r\nFirmware-NVR200L-EN.zip\r\nFirmware-NVR2400-EN.zip\r\nFirmware-NVR3216-EN.zip\r\nFirmware-NVR3416-EN.zip\r\nFirmware-NVR3416R-EN.zip\r\nFirmware-NVR3816-EN.zip\r\nFirmware-NVR400L-EN.zip\r\nFirmware-NVR5104E-EN.zip\r\nhttps://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/\r\nPage 1 of 6\n\nFirmware-NVR5208E-EN.zip\r\nFirmware-NVR5416E-EN.zip\r\nFirmware-NVR5832-EN.zip\r\nFirmware-NVR5832S-EN.zip\r\nNVR 404C Firmware v1.0.48.zip\r\nNVR 404C Firmware v1.0.56.zip\r\nNVR 408M Firmware v1.0.56.zip\r\nNVR100L 200L Rescue File.zip\r\nNVR100L Firmware v1.1.56 - HTML5 Version.zip\r\nNVR100L Firmware v1.1.66.zip\r\nNVR100L Firmware v1.1.74 - Push Notification Fix.zip\r\nNVR100L, 200L Rescue File.zip\r\nNVR100LFirmware.zip\r\nNVR104 Firmware v1.0.48.zip\r\nNVR104 Firmware v1.0.56.zip\r\nNVR109 Firmware v1.0.38.zip\r\nNVR109 Firmware v1.0.48.zip\r\nNVR109 Firmware v1.0.56.zip\r\nNVR116 Firmware v1.0.38.zip\r\nNVR116 Firmware v1.0.48.zip\r\nNVR116 Firmware v1.0.56.zip\r\nNVR1400Firmware.zip\r\nNVR1400L Firmware v1.1.56 - HTML5 Version.zip\r\nNVR1400L Firmware v1.1.66.zip\r\nNVR1400L Firmware v1.1.74 - Push Notification Fix.zip\r\nNVR200L Firmware v1.1.56 - HTML5 Version.zip\r\nNVR200L Firmware v1.1.66.zip\r\nNVR200L Firmware v1.1.74 - Push Notification Fix.zip\r\nNVR200LFirmware.zip\r\nNVR2400Firmware.zip\r\nNVR2400L Firmware v1.1.56 - HTML5 Version.zip\r\nNVR2400L Firmware v1.1.66.zip\r\nNVR2400L Firmware v1.1.74 - Push Notification Fix.zip\r\nNVR3216 Firmware v3.0.74.3921.zip\r\nNVR3216 Recovery Tool.zip\r\nNVR3416 Firmware v3.0.74.3921.zip\r\nNVR3416 Recovery Tool.zip\r\nNVR3416r Firmware v3.0.76.3921.zip\r\nNVR3816 Firmware v2.0.74.3921.zip\r\nNVR400L 1400 2400 Rescue File.zip\r\nNVR400L Firmware v1.1.56 - HTML5 Version.zip\r\nNVR400L Firmware v1.1.66.zip\r\nNVR400L Firmware v1.1.74 - Push Notification Fix.zip\r\nNVR400L, 1400, 2400 Rescue File.zip\r\nNVR5104E Firmware v5.0.24.4078.zip\r\nNVR5104E Recovery Tool.zip\r\nNVR5208E Firmware v5.0.24.4078.zip\r\nhttps://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/\r\nPage 2 of 6\n\nNVR5208E Recovery Tool.zip\r\nNVR5416E Firmware v4.0.24.4078.zip\r\nNVR5832 Firmware v4.0.24.4043.zip\r\nNVR5832 Firmware v4.0.24.4043.zip\r\nNVR5832 Recovery Tool.zip\r\nNVR5832S Firmware v4.0.24.4043.zip\r\nNVR5832S Recovery Tool.zip\r\nVD022 Firmware 1.0.48.zip\r\nVD022 Firmware 1.0.56.zip\r\nThe 360 Quake cyberspace mapping system mapped assets across the global\r\nand discovered that there are 1049094 IP addresses of devices with Merit LILIN\r\nDVR/NVR fingerprints (app:\"LILIN_DVR\") on the public network, and 6748 of\r\nthem are considered vulnerable. The vast majority of these devices are located\r\nin Taiwan, China, as shown in the figure below.\r\nVulnerability Analysis\r\nVulnerability Type: Remote Command Execution Vulnerability\r\nVulnerability detail: The Web service program /opt/extra/main defines a GET /getclock interface for viewing\r\nand modifying time-dependent device\r\nconfigurations. When the /opt/extra/main program is started, the command line\r\nhttps://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/\r\nPage 3 of 6\n\nprogram /mnt/mtd/subapp/syscmd is started and the commands that need to\r\nbe executed are passed to syscmd via shared memory.\r\n1. When the value of the incoming parameter cmd is set, the parameter\r\nNTP_SERVER can be used to set the time synchronization server for the device.\r\n2. The GET /getclock callback function does not check the value of\r\nNTP_SERVER and saves the relevant fields, then it creates a\r\nCMDQ_SET_SYS_TIME message to be pressed into cmdQueue.\r\n3. The corresponding CMDQ_SET_SYS_TIME message processing function of\r\ncmdQueue reads the relevant fields and splices the following shell command\r\ninto the shared memory, resulting in a remote command execution vulnerability.\r\n/opt/extra/subapp/ntpclient -s -t -h %s \u003e %s \u0026\", v4, \"/tmp/ntp.dat\"\r\nVulnerability Fix: In the updated firmware, we notice that before saving the\r\nNTP_SERVER parameter, the resolve_ip() function is called to encapsulate the\r\ninet_aton() function to check if the input is a correct IP address.\r\nThe process is as follows.\r\n1. For parameters in URL format, libadns.so library is called for domain name\r\nresolving, if it success, the ip address is written into ipAddr and return True; otherwise return False.\r\n2. For IP addresses, write directly to ipAddr and return True.\r\nRecommendations\r\nWe recommend that Merit LILIN DVR/NVR users check and update the firmware\r\nsystem and set strong login credentials for the devices.\r\nWe recommend users monitor and block the urls on the IoC list.\r\nContact us\r\nReaders are always welcomed to reach us on twitter, or email to netlab at 360\r\ndot cn.\r\nIoC list\r\nMD5\r\nhttps://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/\r\nPage 4 of 6\n\n0bf1fd0cfa9ced2d95e17f4d9cf10d34\r\n1c3b2a0738476c609656515c5422002e\r\n1c7735dba999c106197bb8defb143925\r\n1f56696725930ae35428fbdb7c953ce0\r\n2b1e0f7a3fcf3478ea726a3b04a9e601\r\n6e90346591e95a623c8a16695c1b36cd\r\n7d8fb579f1d3a4320fcc5e712970d84e\r\n8b8800449bf9729e00b41729632699f6\r\n8f481d0da94b964e4061cd96892386d4\r\n20b89f0640215b0180b357ce2d07dc10\r\n43c477a3df65c2ecd4580dc944208d59\r\n51de7b96b43a4062d578561becff713c\r\n60d6a7a725221e7772dbd192aaa3f872\r\n267e120fc765784f852ed6b2fa939f46\r\n614ca6d9c18fe15db1e8683c9e5caeb8\r\n64714ff03f088a9702faf9adbdc9f2d6\r\n32887409ed42e8e6df21c5600e572102\r\na18266a67bbf45d8bb19bd6f46519587\r\nafdb1f3312b3029143e9f2d09b92f2a1\r\nce8bf6ed38037792e25160a37b23cd4f\r\nf9887d332e35f9901ef507f88b5e06cb\r\nfcaff61a5de5e44083555a29ee4f5246\r\nfeaf1296790d3e1becef913add8ba542\r\nURL\r\nhttp://2.57.122.167:5858/f\r\nhttp://2.57.122.167:5858/uwu/arm\r\nhttp://2.57.122.167:5858/uwu/arm5\r\nhttp://2.57.122.167:5858/uwu/arm6\r\nhttp://2.57.122.167:5858/uwu/arm7\r\nhttp://2.57.122.167:5858/uwu/m68k\r\nhttp://2.57.122.167:5858/uwu/mips\r\nhttp://2.57.122.167:5858/uwu/mpsl\r\nhttp://2.57.122.167:5858/uwu/ppc\r\nhttp://2.57.122.167:5858/uwu/sh4\r\nhttp://2.57.122.167:5858/uwu/spc\r\nhttp://2.57.122.167:5858/uwu/x86\r\nhttp://2.57.122.167:5858/webos/whoareyou.arm\r\nhttp://2.57.122.167:5858/webos/whoareyou.arm5\r\nhttp://2.57.122.167:5858/webos/whoareyou.arm6\r\nhttp://2.57.122.167:5858/webos/whoareyou.arm7\r\nhttp://2.57.122.167:5858/webos/whoareyou.m68k\r\nhttp://2.57.122.167:5858/webos/whoareyou.mips\r\nhttp://2.57.122.167:5858/webos/whoareyou.mpsl\r\nhttp://2.57.122.167:5858/webos/whoareyou.ppc\r\nhttps://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/\r\nPage 5 of 6\n\nhttp://2.57.122.167:5858/webos/whoareyou.sh4\r\nhttp://2.57.122.167:5858/webos/whoareyou.spc\r\nhttp://2.57.122.167:5858/webos/whoareyou.x86\r\nIP\r\n2.57.122.167 Romania ASN48090 Pptechnology Limited\r\nSource: https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/\r\nhttps://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/"
	],
	"report_names": [
		"another-lilin-dvr-0-day-being-used-to-spread-mirai-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434952,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ccdeeaa0b46ededb6d528f1c96864d778abc7be0.pdf",
		"text": "https://archive.orkl.eu/ccdeeaa0b46ededb6d528f1c96864d778abc7be0.txt",
		"img": "https://archive.orkl.eu/ccdeeaa0b46ededb6d528f1c96864d778abc7be0.jpg"
	}
}