I host a honeypot at my IP address, along with several websites. This honeypot has completely automated retaliatory scanning and a python script for weeding out uninteresting targets. I then filter through them, sometimes finding weird or cool websites.
Considering how many interesting things I’ve found so far, I figure I should start reporting them! These posts will be about them.
We start off with a Ukrainian(?) webstore. Probably not legit!
https://topprice.ua/
Full-page Shrek
http://85.218.130.118/
A website that sells mentoring?
http://217.76.56.32:3331/home
A Minecraft server. There are some cool structures!
http://37.187.251.151:25572/ <-- world map
http://37.187.251.151:8000/ <-- normal landing page
An architectural firm
https://179.12.255.134/
A lemmy instance! This is not the first time Leminal Space pokes my honeypot.
http://5.161.203.119:9043/
Queer nerd blog (their words)
https://ky-bean.com/
Home of Brian Daniels, whoever he is!
https://108.203.5.85/
A website that sells printers
https://www.centro-ufficio.com/
Graphic design is my passion (CSS bhop servers by Mori)
https://morrigan.world/
Hotdog website
https://203.123.97.33/
Another Lemmy instance? I don’t know what frontend UI this is
https://139.99.239.54/posts/reddthat.com/all
http://139.99.239.54:9634/posts/reddthat.com/all
Ashish Banerjee’s website
https://209.141.59.100/site/
More Lemmy! Is there a bug in Lemmy’s backend that causes it to poke a domain’s root IP?
https://programming.dev/
Email marketing website
https://125.17.108.32/
A Thailand website for vaping? Under construction
https://vapeclubth.net/
A very cool elevator game made by NorthWestWind
https://42.2.67.232/
MCTV Community Television
https://54.215.10.112/
260 Shadowfoundation hits and 274 other (including the selection above), most of which were uninteresting, contained illegal materials or were engaging in illegal activity, or were hacked IoT devices and DVRs seemingly acting in a botnet. There are a lot of SSL Labs sites telling me my useragent is vulnerable. A lot of login pages, mostly for routers or other networking equipment. A few hits from Perfect Privacy VPNs. Surprisingly no Tor exit traffic this time. Only a single instance of an exposed ceph metrics node.
I wonder how many of those servers you found that had been poking at you were compromised and the actual owners were not aware?
I think its safe to say that anything with a public facing login, which has also poked me, is compromised. 260 Shadowfoundation hits and 274 others, a handful of which were also legit scanners, that identified themselves and their purpose.
it’s probably very close to 50/50.
I try to contact someone responsible about it when I can. 😀