Not exactly the answer but if you have one of the affected mentioned devices it should be listening on TCP port 5555. You can do a port scan for that.
nmap -Pn 192.168.0.0/16 -p 5555
Replace netmask as appropriate.
Now that it's publicly known I guess it's possible that they will close the door post-infection to avoid detecton. And it won't detect any other devices it's spread further to.
If you have a cheapo Android-based TV box or stick like the ones mentioned, throw it out or reflash it with Armbian after forensics.
I'm sure there are HN readers out there who have one of these. They were very popular a couple of years back.
Well the first thing to check is, do you own and operate any of these janky Android "TV" boxes sold by companies nobody has heard of? If yes? Then there's probably your answer.
pamcake|1 month ago
Now that it's publicly known I guess it's possible that they will close the door post-infection to avoid detecton. And it won't detect any other devices it's spread further to.
If you have a cheapo Android-based TV box or stick like the ones mentioned, throw it out or reflash it with Armbian after forensics.
I'm sure there are HN readers out there who have one of these. They were very popular a couple of years back.
nubinetwork|1 month ago
thenthenthen|1 month ago
Have not tested it myself ymmv.
[0] https://synthient.com/blog/a-broken-system-fueling-botnets
HappyPanacea|1 month ago
BloodyIron|1 month ago