{"id":10144,"date":"2026-01-26T04:03:38","date_gmt":"2026-01-26T04:03:38","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/26\/32654\/"},"modified":"2026-01-26T04:03:38","modified_gmt":"2026-01-26T04:03:38","slug":"32654","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/26\/32654\/","title":{"rendered":"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th)"},"content":{"rendered":"\n<div>Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Based on the sensors reporting to ISC, this activity started on the 13 Jan 2026. My own sensor started seeing the first scan on the 21 Jan 2026 with limited probes. So far, this activity has been limited to a few scans based on the reports available in ISC [<a href=\"https:\/\/isc.sans.edu\/weblogs\/urlhistory.html?url=LyQocHdkKS8uCg==\">5<\/a>]\u00a0(<span style=\"font-family:Times New Roman,Times,serif;\">select Match Partial URL and Draw<\/span>):<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png?ssl=1\" style=\"width: 1114px; height: 418px;\"><\/p>\n<p>This is a sample list of the directories actors are scanning for using the following patterns:<\/p>\n<p>\/$(pwd)\/.env.staging<br \/>\n\/$(pwd)\/.env.development<br \/>\n\/$(pwd)\/.env.production<br \/>\n\/$(pwd)\/.env.local<br \/>\n\/$(pwd)\/.env<br \/>\n$(pwd)\/terraform.tfstate<br \/>\n\/$(pwd)\/docker-compose.yml<br \/>\n\/$(pwd)\/netlify.toml<\/p>\n<p>This <a href=\"https:\/\/gephi.org\/\">Gephi<\/a> graph shows the relationship of each probed URL by the two IP addresses:<\/p>\n<p>\n<img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/pwd_scanning_activity.png?ssl=1\" style=\"width: 756px; height: 689px;\"><\/p>\n<p><span style=\"font-size:16px;\"><strong>Kibana ES|QL Query<\/strong><\/span><\/p>\n<p><span style=\"font-family:Courier New,Courier,monospace;\">FROM cowrie*\u00a0<br \/>\n| WHERE event.reference == &#8220;no match&#8221;<br \/>\n| KEEP related.ip,http.request.body.content<br \/>\n| WHERE http.request.body.content IS NOT NULL<br \/>\n| WHERE http.request.body.content RLIKE &#8220;.*\\\/\\$\\(pwd\\).*&#8221;<br \/>\n| STATS COUNT(http.request.body.content) BY related.ip, http.request.body.content<\/span><\/p>\n<p><span style=\"font-size:16px;\"><strong>Indicators<\/strong><\/span><\/p>\n<p>By selecting one of these two indicators, it shows their scanning activity for the\u00a0<span style=\"font-family:Courier New,Courier,monospace;\">\/$(pwd)\/<\/span> pattern in the ISC web logs.<\/p>\n<p><a href=\"https:\/\/isc.sans.edu\/weblogs\/sourcedetails.html?date=2026-01-21&amp;ip=185.177.72.52\">185.177.72.52<\/a><br \/>\n<a href=\"https:\/\/isc.sans.edu\/weblogs\/sourcedetails.html?date=2026-01-25&amp;ip=185.177.72.23\">185.177.72.23<\/a><\/p>\n<p>We also appreciate feedback and suggestions about what tool is used to perform these scans. Please use our <a href=\"https:\/\/isc.sans.edu\/contact.html\">contact<\/a> page to provide feedback.\u00a0<\/p>\n<p>[1] https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/8.19\/esql-using.html<br \/>\n[2] https:\/\/gephi.org\/<br \/>\n[3] https:\/\/isc.sans.edu\/weblogs\/sourcedetails.html?date=2026-01-21&amp;ip=185.177.72.52<br \/>\n[4] https:\/\/isc.sans.edu\/weblogs\/sourcedetails.html?date=2026-01-25&amp;ip=185.177.72.23<br \/>\n[5] https:\/\/isc.sans.edu\/weblogs\/urlhistory.html?url=LyQocHdkKS8uCg==<\/p>\n<p>&#8212;&#8212;&#8212;&#8211;<br \/>\nGuy Bruneau <a href=\"http:\/\/www.ipss.ca\/\">IPSS Inc.<\/a><br \/>\n<a href=\"https:\/\/github.com\/bruneaug\/\">My GitHub Page<\/a><br \/>\nTwitter: <a href=\"https:\/\/twitter.com\/guybruneau\">GuyBruneau<\/a><br \/>\ngbruneau at isc dot sans dot edu<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32654\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th) Based on the sensors reporting to ISC, this activity started on the 13 Jan 2026. My own sensor started seeing the first scan on the 21 Jan 2026 with limited probes. So far, this activity has been limited to a few scans based on [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-10144","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10144"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10144"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10144\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}