Yes as ELF:Gafgyt-AN [Cryp]: (file detection, over 34 engines detect): https://www.virustotal.com/gui/file/bba18438991935a5fb91c8f315d08792c2326b2ce19f2be117f7dab984c47bdf/detection
Not on that particular IP: https://www.virustotal.com/gui/url/ae24d91384291c9dbfbc34a4db0c4c44ddee6ea30f6e4aff463a2f67c9dbb41d/details
however 7 engines detect → https://www.virustotal.com/gui/ip-address/211.137.225.129/relations
See an enormous ELF:Gfgyt-AN campaign: https://urlhaus.abuse.ch/url/275432/ etc.
On that host: https://urlhaus.abuse.ch/host/211.137.225.129/ → https://www.shodan.io/host/211.137.225.129
Seems to scan the Internet to infest: https://viz.greynoise.io/ip/211.137.225.129
One of the activities being: Category: Activity
This IP address has been observed attempting to exploit CVE-2016-6277, a remote code execution vulnerability in NETGEAR R7000 and R6400 routers.
References:
https://exploit-db.com/exploits/41598
Web Crawler
IP address: Netcraft Risk grade: 8 red out of 10: https://toolbar.netcraft.com/site_report?url=211.137.225.129
See TrackAnywhere info: http://www.ntunhs.net/cgi-bin/whois20_1_allip3.cgi?HPLang=KR&LV=3&IP=211.137.225.0
Blocked at firehol here: https://gitgit.dev/madponydotco/blocklist-ipsets/src/branch/master/turris_greylist.ipset?lang=zh-HK
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)