Mirai-like Botnet

Bad Packets Report

What does "Mirai-like" mean?


Mirai scans have a unique fingerprint based on the original source code.



The TCP Sequence Number will equal the value of the target (destination) IP address. This is encoded in decimal (numeric) format in the examples shown below.

As the target IP changes, the Sequence Number of the traffic coming from the infected host will change accordingly.


Source IP Sequence Number Destination IP Destination Port Protocol Count
111.40.166.130 1155727431 68.227.0.71 22 TCP 8
111.40.166.130 1155727462 68.227.0.102 22 TCP 12
111.40.166.130 1155727468 68.227.0.108 22 TCP 7
111.40.166.130 1155727827 68.227.0.211 22 TCP 18
111.40.166.130 1155728027 68.227.0.155 22 TCP 13
111.40.166.130 1185554622 68.227.0.190 22 TCP 11
111.40.166.130 1186240978 68.227.0.210 22 TCP 2