THIS diary entry describes activity found and reported by a BACS student, Adam Thorman, as part of an assignment; it focuses on an echo command captured in Cowrie logs on 19 February 2026. The activity appeared to have occurred on that date with at least two sensors detecting the echo command on the same day, logged by a DShield sensor. The DShield data show activity from source IP 64.89.161[.]198 between 30 January and 22 February 2026, including portscans, a successful login via Telnet (TCP/23) and web access.
The bot logged in twice to the sensor via Telnet on 15 February and 19 February 2026, and a shell script was uploaded on 19 February 2026 in an attempt to exploit IoTs and 64‑bit Linux systems. Indicators listed include 64.89.161[.]198, 188.214.30[.]5, http://188.214.30[.]5/r[.]sh, and the file hash f1c0e109640d154246d27ff05074365740e994f142ef9846634bec7b18e3b715. Feedback is welcome via the SANS ISC contact page.