Skip to main content

SYS.CORE // SECURE UPLINK ESTABLISHED

STATUS: ONLINE

> w33t.terminal

HONEYPOT_ARRAY

What happens when you leave a server on the internet

A T-Pot honeypot sits on my home network and pretends to be a vulnerable server. Bots and attackers find it within minutes, try default passwords, drop malware, and probe for web exploits. This page visualizes that traffic as it happens.

Cowrie

Emulates SSH and Telnet services. Captures every username, password, and shell command attackers try.

Dionaea

Mimics services like SMB, FTP, and HTTP to lure in malware droppers. Saves every binary that lands.

Tanner / Snare

A fake web application that classifies incoming requests — SQL injection, XSS, path traversal, and more.

Total attacks

10,000

No change since last update

Unique source IPs

455

Distinct attacker addresses seen in the current window.

Top targeted service

SMB (90%)

Port 445 via DIONAEA

Malware captures

0

Malware binaries caught by Dionaea in the current window.

Credential attempts

1,089

Login attempts caught across SSH, Telnet, FTP, and other exposed services.

Web attack events

535

Hostile web requests classified by Tanner in the current window.

Attack timeline

Hourly event counts over the past week.

LAST_168_HOURS

Attack timelineArea chart showing total honeypot events per hour over the retained timeline.13374100316687334404-21 08:0004-24 19:0004-28 07:00

Sensor status

Latest snapshot2026-04-28 07:07
Window size24h
Source labeltpot-proxmox
Observed countries20

Attacker origins

Where the attacks are coming from, based on source IP geolocation.

GEO_DENSITY

Attacker origins world mapWorld map shading countries by observed honeypot attack count in the latest snapshot.Afghanistan: 0 attacksAlbania: 0 attacksAlgeria: 0 attacksAngola: 0 attacksArgentina: 0 attacksArmenia: 0 attacksAustralia: 0 attacksAustria: 0 attacksAzerbaijan: 0 attacksBangladesh: 0 attacksBelarus: 0 attacksBelgium: 0 attacksBelize: 0 attacksBenin: 0 attacksBermuda: 0 attacksBhutan: 0 attacksBolivia: 0 attacksBosnia and Herzegovina: 0 attacksBotswana: 0 attacksBrazil: 0 attacksBrunei: 0 attacksBulgaria: 0 attacksBurkina Faso: 0 attacksBurundi: 0 attacksCambodia: 0 attacksCameroon: 0 attacksCanada: 0 attacksCentral African Republic: 0 attacksChad: 0 attacksChile: 0 attacksChina: 590 attacksColombia: 0 attacksCosta Rica: 0 attacksCroatia: 0 attacksCuba: 0 attacksCyprus: 0 attacksCzech Republic: 0 attacksDemocratic Republic of the Congo: 0 attacksDenmark: 0 attacksDjibouti: 0 attacksDominican Republic: 0 attacksEast Timor: 0 attacksEcuador: 0 attacksEgypt: 5,973 attacksEl Salvador: 0 attacksEquatorial Guinea: 0 attacksEritrea: 0 attacksEstonia: 0 attacksEthiopia: 0 attacksFalkland Islands: 0 attacksFiji: 0 attacksFinland: 0 attacksFrance: 0 attacksFrench Guiana: 0 attacksFrench Southern and Antarctic Lands: 0 attacksGabon: 0 attacksGambia: 0 attacksGeorgia: 0 attacksGermany: 166 attacksGhana: 0 attacksGreece: 0 attacksGreenland: 0 attacksGuatemala: 0 attacksGuinea: 0 attacksGuinea Bissau: 0 attacksGuyana: 0 attacksHaiti: 0 attacksHonduras: 0 attacksHungary: 0 attacksIceland: 0 attacksIndia: 308 attacksIndonesia: 122 attacksIran: 0 attacksIraq: 0 attacksIreland: 0 attacksIsrael: 0 attacksItaly: 0 attacksIvory Coast: 0 attacksJamaica: 0 attacksJapan: 0 attacksJordan: 0 attacksKazakhstan: 0 attacksKenya: 0 attacksKosovo: 0 attacksKuwait: 0 attacksKyrgyzstan: 0 attacksLaos: 0 attacksLatvia: 0 attacksLebanon: 0 attacksLesotho: 0 attacksLiberia: 0 attacksLibya: 0 attacksLithuania: 0 attacksLuxembourg: 183 attacksMacedonia: 0 attacksMadagascar: 0 attacksMalawi: 0 attacksMalaysia: 0 attacksMali: 0 attacksMalta: 0 attacksMauritania: 0 attacksMexico: 3,199 attacksMoldova: 0 attacksMongolia: 3,151 attacksMontenegro: 0 attacksMorocco: 0 attacksMozambique: 0 attacksMyanmar: 0 attacksNamibia: 0 attacksNepal: 0 attacksNetherlands: 323 attacksNew Caledonia: 0 attacksNew Zealand: 0 attacksNicaragua: 0 attacksNiger: 0 attacksNigeria: 0 attacksNorth Korea: 0 attacksNorthern Cyprus: 0 attacksNorway: 0 attacksOman: 0 attacksPakistan: 3,122 attacksPanama: 0 attacksPapua New Guinea: 0 attacksParaguay: 0 attacksPeru: 0 attacksPhilippines: 0 attacksPoland: 749 attacksPortugal: 0 attacksPuerto Rico: 0 attacksQatar: 0 attacksRepublic of Serbia: 0 attacksRepublic of the Congo: 0 attacksRomania: 411 attacksRussia: 202 attacksRwanda: 0 attacksSaudi Arabia: 0 attacksSenegal: 0 attacksSierra Leone: 0 attacksSlovakia: 0 attacksSlovenia: 0 attacksSolomon Islands: 0 attacksSomalia: 0 attacksSomaliland: 0 attacksSouth Africa: 0 attacksSouth Korea: 248 attacksSouth Sudan: 0 attacksSpain: 0 attacksSri Lanka: 0 attacksSudan: 0 attacksSuriname: 0 attacksSwaziland: 0 attacksSweden: 0 attacksSwitzerland: 0 attacksSyria: 0 attacksTaiwan: 224 attacksTajikistan: 0 attacksThailand: 352 attacksThe Bahamas: 0 attacksTogo: 0 attacksTrinidad and Tobago: 0 attacksTunisia: 0 attacksTurkey: 0 attacksTurkmenistan: 0 attacksUganda: 0 attacksUkraine: 0 attacksUnited Arab Emirates: 0 attacksUnited Kingdom: 85 attacksUnited Republic of Tanzania: 0 attacksUnited States of America: 509 attacksUruguay: 0 attacksUzbekistan: 0 attacksVanuatu: 0 attacksVenezuela: 0 attacksVietnam: 542 attacksWest Bank: 0 attacksWestern Sahara: 0 attacksYemen: 0 attacksZambia: 0 attacksZimbabwe: 0 attacks

Top source countries

#CountryAttacksIPs
1Egypt5,9733
2Mexico3,1993
3Mongolia3,1511
4Pakistan3,1223
5Poland7494
6China59078
7Vietnam5427
8United States50999
9Romania4117
10Thailand3524

Protocol and service breakdown

Which services attackers are going after the most.

SERVICE_MIX

Protocol and service breakdown: Horizontal bar chart showing the most targeted services and ports in the current honeypot snapshot.

SMB :445
15,515 events
SSH :22
887 events
HTTP :80
537 events
DNS :53
200 events
PORT-3478 :3478
8 events
SMTP :25
6 events

Web attack categories

Types of web exploits attempted against the fake application.

WEB_SIGS

Web attack categories: Horizontal bar chart showing the most common classified web attack categories in the current snapshot.

Unclassified
535 requests

Credential attempts

The most common username and password combinations attackers try across all exposed services.

AUTH_PRESSURE

#UsernamePasswordAttempts
1rootadmin109
2345gs5662d34345gs5662d3498
3root3245gs5662d3497
4adminadmin12
5rootroot7
6supportsupport5
7ubntubnt5
8useruser4
9support1111113
10admin002
11admin1112
12debian000002
13debian1111112
14debian2222
15support00002
16test02
17ubnt0002
18ubnt22222222
19user02
20user666662

Malware captures

Binaries that attackers dropped onto the honeypot. Each hash links to VirusTotal for analysis.

PAYLOAD_INDEX

SHA-256TypeCapturesFirst seen
No malware samples captured yet.

What's happening

AI-generated summary of the latest 24-hour window of honeypot activity.

AI_SUMMARY

In the last 24 hours, 10,000 attacks were recorded from 455 unique source IPs. The top source countries were Egypt, Mexico, Mongolia, and Pakistan, accounting for 15,445 attacks, with Egypt alone contributing 5,973 attacks from just 3 IPs. The most targeted services were SMB on port 445 with 15,515 events, followed by SSH on port 22 with 887 events, and HTTP on port 80 with 537 events, with the top credential attempt count being 109 for a single username/password pair.

Generated by Llama 4 Scout via Cloudflare Workers AI