{"id":810,"date":"2026-01-26T01:17:12","date_gmt":"2026-01-26T01:17:12","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/"},"modified":"2026-01-26T01:17:12","modified_gmt":"2026-01-26T01:17:12","slug":"scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/","title":{"rendered":"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th)"},"content":{"rendered":"
\n

Based on the sensors reporting to ISC, this activity started on the 13 Jan 2026. My own sensor started seeing the first scan on the 21 Jan 2026 with limited probes. So far, this activity has been limited to a few scans based on the reports available in ISC [5<\/a>]\u00a0(select Match Partial URL and Draw<\/span>):<\/p>\n

\"\"<\/p>\n

This is a sample list of the directories actors are scanning for using the following patterns:<\/p>\n

\/$(pwd)\/.env.staging
\n\/$(pwd)\/.env.development
\n\/$(pwd)\/.env.production
\n\/$(pwd)\/.env.local
\n\/$(pwd)\/.env
\n$(pwd)\/terraform.tfstate
\n\/$(pwd)\/docker-compose.yml
\n\/$(pwd)\/netlify.toml<\/p>\n

This Gephi<\/a> graph shows the relationship of each probed URL by the two IP addresses:<\/p>\n

\n\"\"<\/p>\n

Kibana ES|QL Query<\/strong><\/span><\/p>\n

FROM cowrie*\u00a0
\n| WHERE event.reference == “no match”
\n| KEEP related.ip,http.request.body.content
\n| WHERE http.request.body.content IS NOT NULL
\n| WHERE http.request.body.content RLIKE “.*\\\/\\$\\(pwd\\).*”
\n| STATS COUNT(http.request.body.content) BY related.ip, http.request.body.content<\/span><\/p>\n

Indicators<\/strong><\/span><\/p>\n

By selecting one of these two indicators, it shows their scanning activity for the\u00a0\/$(pwd)\/<\/span> pattern in the ISC web logs.<\/p>\n

185.177.72.52<\/a>
\n185.177.72.23<\/a><\/p>\n

We also appreciate feedback and suggestions about what tool is used to perform these scans. Please use our contact<\/a> page to provide feedback.\u00a0<\/p>\n

[1] https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/8.19\/esql-using.html
\n[2] https:\/\/gephi.org\/
\n[3] https:\/\/isc.sans.edu\/weblogs\/sourcedetails.html?date=2026-01-21&ip=185.177.72.52
\n[4] https:\/\/isc.sans.edu\/weblogs\/sourcedetails.html?date=2026-01-25&ip=185.177.72.23
\n[5] https:\/\/isc.sans.edu\/weblogs\/urlhistory.html?url=LyQocHdkKS8uCg==<\/p>\n

———–
\nGuy Bruneau IPSS Inc.<\/a>
\nMy GitHub Page<\/a>
\nTwitter: GuyBruneau<\/a>
\ngbruneau at isc dot sans dot edu<\/p>\n

(c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Based on the sensors reporting to ISC, this activity started on the 13 Jan 2026. My own sensor started seeing the first scan on the 21 Jan 2026 with limited probes. So far, this activity has been limited to a few scans based on the reports available in ISC [5]\u00a0(select Match Partial URL and Draw): […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-810","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nScanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Based on the sensors reporting to ISC, this activity started on the 13 Jan 2026. My own sensor started seeing the first scan on the 21 Jan 2026 with limited probes. So far, this activity has been limited to a few scans based on the reports available in ISC [5]\u00a0(select Match Partial URL and Draw): […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-26T01:17:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th)\",\"datePublished\":\"2026-01-26T01:17:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/\"},\"wordCount\":286,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/\",\"name\":\"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png\",\"datePublished\":\"2026-01-26T01:17:12+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/","og_locale":"en_US","og_type":"article","og_title":"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th) - Imperative Business Ventures Limited","og_description":"Based on the sensors reporting to ISC, this activity started on the 13 Jan 2026. My own sensor started seeing the first scan on the 21 Jan 2026 with limited probes. So far, this activity has been limited to a few scans based on the reports available in ISC [5]\u00a0(select Match Partial URL and Draw): […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-01-26T01:17:12+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th)","datePublished":"2026-01-26T01:17:12+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/"},"wordCount":286,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/","name":"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png","datePublished":"2026-01-26T01:17:12+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc_pwd_activity.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/26\/scanning-webserver-with-pwd-as-a-starting-path-sun-jan-25th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Scanning Webserver with \/$(pwd)\/ as a Starting Path, (Sun, Jan 25th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=810"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/810\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}