I host a honeypot at my IP address, along with several websites. This honeypot has completely automated retaliatory scanning and a python script for weeding out uninteresting targets. I then filter through them, sometimes finding weird or cool websites.
Considering how many interesting things I’ve found so far, I figure I should start reporting them! These posts will be about them.
We start off with a Ukrainian(?) webstore. Probably not legit!
https://topprice.ua/
Full-page Shrek
http://85.218.130.118/
A website that sells mentoring?
http://217.76.56.32:3331/home
A Minecraft server. There are some cool structures!
http://37.187.251.151:25572/ <-- world map
http://37.187.251.151:8000/ <-- normal landing page
An architectural firm
https://179.12.255.134/
A lemmy instance! This is not the first time Leminal Space pokes my honeypot.
http://5.161.203.119:9043/
Queer nerd blog (their words)
https://ky-bean.com/
Home of Brian Daniels, whoever he is!
https://108.203.5.85/
A website that sells printers
https://www.centro-ufficio.com/
Graphic design is my passion (CSS bhop servers by Mori)
https://morrigan.world/
Hotdog website
https://203.123.97.33/
Another Lemmy instance? I don’t know what frontend UI this is
https://139.99.239.54/posts/reddthat.com/all
http://139.99.239.54:9634/posts/reddthat.com/all
Ashish Banerjee’s website
https://209.141.59.100/site/
More Lemmy! Is there a bug in Lemmy’s backend that causes it to poke a domain’s root IP?
https://programming.dev/
Email marketing website
https://125.17.108.32/
A Thailand website for vaping? Under construction
https://vapeclubth.net/
A very cool elevator game made by NorthWestWind
https://42.2.67.232/
MCTV Community Television
https://54.215.10.112/
260 Shadowfoundation hits and 274 other (including the selection above), most of which were uninteresting, contained illegal materials or were engaging in illegal activity, or were hacked IoT devices and DVRs seemingly acting in a botnet. There are a lot of SSL Labs sites telling me my useragent is vulnerable. A lot of login pages, mostly for routers or other networking equipment. A few hits from Perfect Privacy VPNs. Surprisingly no Tor exit traffic this time. Only a single instance of an exposed ceph metrics node.
You must log in or # to comment.
I wonder how many of those servers you found that had been poking at you were compromised and the actual owners were not aware?
I think its safe to say that anything with a public facing login, which has also poked me, is compromised. 260 Shadowfoundation hits and 274 others, a handful of which were also legit scanners, that identified themselves and their purpose.
it’s probably very close to 50/50.I try to contact someone responsible about it when I can. 😀
As someone who understands very little about site security and traffic, can someone ELI5 here what’s going on and why these have accessed your IP/honeypot?
Those sites/routers/iot devices have probably been compromised, perhaps by a botnet, and are themselves now scanning for others to infect.
Mostly! Not all are infected. Half of the traffic are just other researchers scanning the internet for legitimate research purposes, and they identify themselves if they’re nice. When it comes from a shared web host or VPS, it’s probably an individual renting space in a shared datacenter for malicious purposes, and the websites you’d find here have nothing to do with the malicious traffic. You can report it to the owner of the IP, but usually it’s a waste of time. If an IP redirects you to a domain, it’s usually because that’s a single host and not a shared IP, and those are 100% compromised. A lot of it are IoT devices like webcams and TVs which, for whatever reason, are exposed to the internet and have been compromised and participate in a botnet.
The Lemmy instances that poke me are odd because they’re surely not compromised but it’s also not normal behavior. I suspect there’s a bug in pictrs or the way an instance can proxy URLs (I post image URLs from drkt.eu often), but this is completely baseless speculation on my part.
I usually make an effort to contact website owners and let them know they poked my honeypot. I don’t care that they did, but they should consider if they’ve been compromised because there’s really no legitimate reason to touch my IP address directly on those ports.
Very interesting–I have a lot to learn about how the Internet actually works!
Ahhh thank you, I was wondering why they’d show that behavior. So in nature and bad pun terms, you could say they have been compromised and are now para sites
I have no words… Take your upvote and leave this place 🤦
