Interesting Message Stored in Cowrie Logs

Published: 2026-03-18. Last Updated: 2026-03-19 00:38:49 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This activity was found and reported by BACS student Adam Thorman as part of one of his assignments which I posted his final paper [1] last week. This activity appeared to only have occurred on the 19 Feb 2026 where at least 2 sensors detected on the same day by DShield sensor in the cowrie logs an echo command that included: "MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_was_here". My DShield sensor captured activity from source IP 64.89.161.198 between 30 Jan - 22 Feb 2026 that included portscans, a successful login via Telnet (TCP/23) and web access that included all the activity listed below captured by the DShield sensor (cowrie, webhoneypot & iptables logs).

Bot successfully logged in twice into the sensor on the 15 and 19 Feb 2026 via Telnet. The bot activity of interest was a shell script uploaded on the 19 Feb 2026 in an attempt to exploit IoTs and 64-bit Linux systems.

Using Adam [1] grep command, I found in my logs the same script uploaded to the DShield sensor:

ubuntu@vps-711a413c:~/downloads$ sudo cat f1c0e109640d154246d27ff05074365740e994f142ef9846634bec7b18e3b715

Script Content

Cowrie Log

Indicators

64.89.161.198
188.214.30.5
http[:]//188.214.30.5/r.sh
f1c0e109640d154246d27ff05074365740e994f142ef9846634bec7b18e3b715

If you detected the same type of activity, we also appreciate feedback and suggestions about what tool might be used to perform these scans. Please use our contact page to provide feedback. 

[1] https://isc.sans.edu/diary/32788
[2] https://www.virustotal.com/gui/file/f1c0e109640d154246d27ff05074365740e994f142ef9846634bec7b18e3b715/detection
[3] https://www.linkedin.com/in/adam-thorman/
[4] https://isc.sans.edu/ipinfo/64.89.161.198
[5] https://isc.sans.edu/weblogs/sourcedetails.html?date=2026-02-19&ip=64.89.161.198
[6] https://isc.sans.edu/ipinfo/188.214.30.5
[7] https://www.shodan.io/host/64.89.161.198
[8] https://www.virustotal.com/gui/ip-address/64.89.161.198/detection
[9] https://github.com/DShield-ISC/dshield
[10] https://github.com/bruneaug/DShield-SIEM/tree/main

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: Analysis Web Scanning DShield SIEM DShield sensor Malware
0 comment(s)

Comments

Login here to join the discussion.


Top of page
Diary Archives