Handler on Duty: Xavier Mertens Threat Level: green previous next Scanning Webserver with /$(pwd)/ as a Starting Path Based on the sensors reporting to ISC, this activity started on the 13 Jan 2026. My own sensor started seeing the first scan on the 21 Jan 2026 with limited probes. So far, this activity has been limited to a few scans based on the reports available in ISC [ 5 ] ( select Match Partial URL and Draw ): This is a sample list of the directories actors are scanning for using the following patterns: /$(pwd)/.env.staging /$(pwd)/.env.development /$(pwd)/.env.production /$(pwd)/.env.local /$(pwd)/.env $(pwd)/terraform.tfstate /$(pwd)/docker-compose.yml /$(pwd)/netlify.toml This Gephi graph shows the relationship of each probed URL by the two IP addresses: Kibana ES|QL Query FROM cowrie* | WHERE event.reference == "no match" | KEEP related.ip,http.request.body.content | WHERE http.request.body.content IS NOT NULL | WHERE http.request.body.content RLIKE ".*\\/\\$\\(pwd\\).*" | STATS COUNT(http.request.body.content) BY related.ip, http.request.body.content Indicators By selecting one of these two indicators, it shows their scanning activity for the /$(pwd)/ pattern in the ISC web logs. 185.177.72.52 185.177.72.23 We also appreciate feedback and suggestions about what tool is used to perform these scans. Please use our contact page to provide feedback. [1] https://www.elastic.co/guide/en/elasticsearch/reference/8.19/esql-using.html [2] https://gephi.org/ [3] https://isc.sans.edu/weblogs/sourcedetails.html?date=2026-01-21&ip=185.177.72.52 [4] https://isc.sans.edu/weblogs/sourcedetails.html?date=2026-01-25&ip=185.177.72.23 [5] https://isc.sans.edu/weblogs/urlhistory.html?url=LyQocHdkKS8uCg== ----------- Guy Bruneau IPSS Inc. My GitHub Page Twitter: GuyBruneau gbruneau at isc dot sans dot edu Keywords: pwd DShield sensor DShield SIEM Gephi Web Scanning research previous next Login here to join the discussion. Top of page × Diary Archives