Stats · HoneyMire Hub

Public stats

Aggregate attack telemetry from users who opted into the public feed. Auto-refreshes every 30s.

Total attacks170,809all-time

Attacks 24h17,115last 24 hours

Unique attackers7,914804 in 24h

Returning attackers2,06126.0% of uniques

Auth success rate97.4%100,061 of 102,720 known

Avg commands5.1per session

Avg session25.3 sduration

Public reporters1opted-in users

World coverage15.0%3/20 areas

Countries covered4honeypot locations

Public honeypots55 online · 0 offline

Commands captured447,712across all sessions

Avg severity2834,447 high/critical

CVE attempts0CVE-ID references seen

Pre-session probes6,548,505connects before sessions

Bandwidth in26.2 MiBfrom attackers

Bandwidth out37.1 MiBhoneypot replies

Avg response5 mshoneypot latency

Activity over time

Attacks per hour

Last 24 hours, hourly buckets.

Attacks per day

Last 7 days, midnight-UTC buckets.

06-10

06-11

06-12

06-13

06-14

06-15

06-16

Time of day (UTC)

All-time activity by UTC hour — when attackers hit the hub.

Time of day (attacker-local)

All-time activity by hour in the attacker's local time, approximated from their country code (DST ignored).

Day of week (UTC)

All-time activity by UTC weekday.

Sun

Mon

Tue

Wed

Thu

Fri

Sat

Honeypot fleet

World coverage

Coverage score is based on 20 practical deployment areas. One public honeypot in each area reaches 100%; extra honeypots add resilience but do not inflate the score.

Western Europe

North America - East

Southeast Asia

Honeypot countries

🇱🇺Luxembourg

🇫🇷France

🇸🇬Singapore

🇺🇸United States

Country	Honeypots
🇱🇺Luxembourg	2
🇫🇷France	1
🇸🇬Singapore	1
🇺🇸United States	1

Hardware boards

ESP32 variants reporting to public feeds.

docker-edge 4 80.0%

esp32-c3-supermini 1 20.0%

Board	Count
`docker-edge`	4
`esp32-c3-supermini`	1

Firmware versions

Firmware	Count
`0.1.0`	4
`1.1.0`	1

Sensors online/offline

Online = reported in the last 15 minutes.

online 5 100.0%

offline 0 0.0%

Sensor uptime distribution

How long each honeypot has been up since its last reboot, last reported by the firmware.

< 1 hour

7 – 30 days

Attack geography

Top source countries

🇨🇳China

42932

🇳🇱The Netherlands

25364

🇺🇸United States

23038

🇵🇰Pakistan

14023

🇮🇷Iran

5159

🇮🇳India

5046

🇷🇺Russia

4242

🇵🇱Poland

4154

🇧🇷Brazil

3399

🇳🇱Netherlands

3167

Country	Attacks
🇨🇳China	42932
🇳🇱The Netherlands	25364
🇺🇸United States	23038
🇵🇰Pakistan	14023
🇮🇷Iran	5159
🇮🇳India	5046
🇷🇺Russia	4242
🇵🇱Poland	4154
🇧🇷Brazil	3399
🇳🇱Netherlands	3167

Top target countries

🇱🇺Luxembourg

73417

🇫🇷France

36070

🇸🇬Singapore

33617

🇺🇸United States

27705

Country	Attacks
🇱🇺Luxembourg	73417
🇫🇷France	36070
🇸🇬Singapore	33617
🇺🇸United States	27705

Attacker → target countries

Attacker	Target	Count
🇨🇳China	🇱🇺Luxembourg	21059
🇵🇰Pakistan	🇱🇺Luxembourg	13630
🇺🇸United States	🇱🇺Luxembourg	10365
🇳🇱The Netherlands	🇱🇺Luxembourg	9525
🇨🇳China	🇫🇷France	8168
🇳🇱The Netherlands	🇫🇷France	7570
🇨🇳China	🇺🇸United States	7385
🇳🇱The Netherlands	🇸🇬Singapore	7122
🇨🇳China	🇸🇬Singapore	6320
🇺🇸United States	🇫🇷France	5201
🇺🇸United States	🇺🇸United States	4445
🇷🇺Russia	🇱🇺Luxembourg	3660
🇺🇸United States	🇸🇬Singapore	3027
🇰🇷South Korea	🇸🇬Singapore	2004
🇮🇳India	🇱🇺Luxembourg	1943

Attack attributes

Protocol split

telnet 117026 68.5%

ssh 53783 31.5%

Top target ports

Destination port the attacker connected to on the honeypot. Inferred from protocol when not reported.

23 (telnet)

117026

22 (ssh)

53783

Authentication outcomes

Whether the honeypot let the attacker in (after its configured threshold).

authenticated 100061 58.6%

unknown 68089 39.9%

rejected 2659 1.6%

Attacker profiles

Behavioral classification from the firmware.

creds-only 83320 48.8%

mirai 43977 25.7%

scripted 40663 23.8%

creds-probe 2492 1.5%

iot-loader 212 0.1%

scanner 145 0.1%

Profile	Count
`creds-only`	83320
`mirai`	43977
`scripted`	40663
`creds-probe`	2492
`iot-loader`	212
`scanner`	145

Network / ASN

Top ASNs

ASN	Count
`AS47890 UNMANAGED LTD`	25237
`AS4837 CHINA UNICOM China169 Backbone`	16121
`AS4134 CHINANET BACKBONE`	14216
`AS14061 DigitalOcean, LLC`	13569
`AS4134 CHINANET-BACKBONE`	5942
`AS9541 Cyber Internet Services (Pvt) Ltd.`	5732
`AS58224 Iran Telecommunication Company PJS`	4005
`AS200730 ISAEV Igor`	3988
`AS398779 Ace Host, LLC`	3657
`AS8359 MTS PJSC`	3435

Network types

unknown 73329 42.9%

isp 52172 30.5%

residential 23507 13.8%

cdn 20994 12.3%

enterprise 785 0.5%

education 22 0.0%

Type	Count
unknown	73329
isp	52172
residential	23507
cdn	20994
enterprise	785
education	22

Top network providers

Provider	Count
Unmanaged LTD	25237
China Telecom	21657
China Unicom	16122
DigitalOcean	13572
Cyber Internet Services	5732
ISAEV Igor	3988
Cogent Communications	3717
Mobile TeleSystems PJSC	3435
Iran Telecommunication Company PJS	3149
CMPak Limited	3011

Target exposure by provider

Target ISP / network	Count
Servers.com, Inc.	37246
POST Luxembourg	36171
OVH SAS	36070
M247 Europe SRL	33617
HostPapa	27705

Network confidence

medium 97480 57.1%

low 73328 42.9%

unknown 1 0.0%

ASN → target countries

ASN	Target	Count
`AS4837 CHINA UNICOM China169 Backbone`	🇱🇺Luxembourg	12967
`AS47890 UNMANAGED LTD`	🇱🇺Luxembourg	9385
`AS47890 UNMANAGED LTD`	🇫🇷France	8232
`AS47890 UNMANAGED LTD`	🇸🇬Singapore	6748
`AS9541 Cyber Internet Services (Pvt) Ltd.`	🇱🇺Luxembourg	5640
`AS14061 DigitalOcean, LLC`	🇱🇺Luxembourg	4277
`AS4134 CHINANET BACKBONE`	🇺🇸United States	4041
`AS4134 CHINANET BACKBONE`	🇫🇷France	3806
`AS398779 Ace Host, LLC`	🇱🇺Luxembourg	3657
`AS14061 DigitalOcean, LLC`	🇫🇷France	3595
`AS8359 MTS PJSC`	🇱🇺Luxembourg	3416
`AS4134 CHINANET BACKBONE`	🇱🇺Luxembourg	3330
`AS4134 CHINANET BACKBONE`	🇸🇬Singapore	3039
`AS14061 DigitalOcean, LLC`	🇸🇬Singapore	2973
`AS14061 DigitalOcean, LLC`	🇺🇸United States	2724

ASN → target ASN

Attacker ASN	Target ASN	Count
`AS4837 CHINA UNICOM China169 Backbone`	`AS6661 POST Luxembourg`	12135
`AS47890 UNMANAGED LTD`	`AS7979 Servers.com, Inc.`	9385
`AS47890 UNMANAGED LTD`	`AS16276 OVH SAS`	8232
`AS47890 UNMANAGED LTD`	`AS9009 M247 Europe SRL`	6748
`AS9541 Cyber Internet Services (Pvt) Ltd.`	`AS6661 POST Luxembourg`	5543
`AS4134 CHINANET BACKBONE`	`AS36352 HostPapa`	4041
`AS4134 CHINANET BACKBONE`	`AS16276 OVH SAS`	3806
`AS398779 Ace Host, LLC`	`AS7979 Servers.com, Inc.`	3657
`AS14061 DigitalOcean, LLC`	`AS16276 OVH SAS`	3595
`AS8359 MTS PJSC`	`AS6661 POST Luxembourg`	3406
`AS4134 CHINANET BACKBONE`	`AS7979 Servers.com, Inc.`	3283
`AS4134 CHINANET BACKBONE`	`AS9009 M247 Europe SRL`	3039
`AS14061 DigitalOcean, LLC`	`AS9009 M247 Europe SRL`	2973
`AS14061 DigitalOcean, LLC`	`AS7979 Servers.com, Inc.`	2962
`AS14061 DigitalOcean, LLC`	`AS36352 HostPapa`	2724

Network type → target countries

Network type	Target	Count
isp	🇱🇺Luxembourg	28155
unknown	🇱🇺Luxembourg	27612
unknown	🇫🇷France	17148
unknown	🇸🇬Singapore	15846
unknown	🇺🇸United States	12723
residential	🇱🇺Luxembourg	10687
isp	🇺🇸United States	8391
isp	🇫🇷France	8061
isp	🇸🇬Singapore	7565
cdn	🇱🇺Luxembourg	6880
cdn	🇫🇷France	6756
residential	🇸🇬Singapore	5982
residential	🇫🇷France	4021
cdn	🇺🇸United States	3715
cdn	🇸🇬Singapore	3643

Credentials & content

Top attacker IPs

Most active source addresses on the public feed.

IP	Count
`87.251.64.176`	3988
`38.95.14.214`	3657
`80.94.92.167`	3593
`80.94.92.187`	3374
`80.94.92.128`	3249
`80.94.92.177`	3014
`80.94.92.164`	2949
`120.231.215.45`	2126
`80.94.92.165`	2008
`161.35.61.64`	1993

Top credential pairs

Aggregated across public feeds.

user : pass	Count
`system:shell`	11673
`support:support`	4898
`0:0`	2640
`sol:sol`	2515
`root:`	2141
`admin:admin`	1874
`solana:solana`	1523
`root:Zte521`	1487
`root:root`	1294
`ubuntu:ubuntu`	1280

Top usernames

Aggregated across public feeds.

Username	Count
`root`	47072
`admin`	17969
`system`	12058
`sol`	6972
`support`	5706
`solana`	5029
`ubuntu`	4271
`default`	3534
`guest`	2696
`0`	2640

Top passwords

Aggregated across public feeds.

Password	Count
`shell`	11673
`123456`	5447
`support`	4900
`1234`	4214
`admin`	3850
`12345`	3147
`sol`	2894
`0`	2666
`12345678`	2058
`solana`	2039

Top command chains

Command chain	Count
`/bin/./uname -s -v -n -r -m`	25027
`sh /bin/busybox UNSTABLE`	8684
`uname -s -v -n -r -m`	4722
`uname -a`	3422
`cd ~; chattr -ia .ssh; lockr -ia .ssh`	2888
`start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd...`	2051
`sh`	1711
`start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd...`	1667
`start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd...`	1184
`start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd...`	1166

Top malware URLs

URL	Count
`http://192.168.1.1:8088/i`	10941
`http://110.36.13.229:34353/i`	6153
`http://81.229.60.159:58639/i`	3618
`http://112.248.105.102:44168/i`	3498
`http://188.149.206.91:59551/i`	2361
`http://60.22.86.235:35153/i`	2346
`http://46.236.65.145:47053/i`	1995
`http://124.94.124.156:41618/i`	1863
`http://176.106.241.72:48551/i`	1839
`http://81.226.168.17:40587/i`	1803

Threat assessment

Severity distribution

Hub-computed score (0-100) per attack: informational ≤ 1, low < 40, medium < 70, high < 90, critical ≥ 90. Older rows that pre-date scoring show as unscored.

informational 69522 40.7%

low 57080 33.4%

medium 9760 5.7%

high 34443 20.2%

critical 4 0.0%

Band	Count
informational	69522
low	57080
medium	9760
high	34443
critical	4

Top CVE references

CVE-IDs extracted from command summaries (and explicit firmware reports). Useful for spotting CVE-driven scanner waves.

No CVE references seen yet.

Top reverse-DNS suffixes

Last 2-3 labels of the PTR record per attacker IP. Local resolver only — no third-party intel feeds.

Suffix	Count
`ny.adsl`	6691
`lionwire.com`	3657
`mts-chita.ru`	3420
`hostforweb.net`	1526
`hinet.net`	1324
`wateen.net`	1199
`mybizniche.com`	1146
`ip-94-23-66.eu`	960
`163data.com.cn`	918
`secureserver.net`	888
`nt-isp.net`	874
`com.py`	873

Client fingerprints

Top client banners

Raw banner the attacker tool announced (e.g. SSH-2.0-libssh_0.9.6).

Banner	Count
`SSH-2.0-Go`	43107
`root`	13637
`admin`	9080
`SSH-2.0-libssh_0.9.6`	2594
`SSH-2.0-PuTTY_Release_0.84`	1988
`SSH-2.0-libssh2_1.8.1`	1444
`super`	768
`SSH-2.0-OpenSSH_7.4`	725
`guest`	713
`SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3`	697

Top HASSH fingerprints

MD5 over SSH client KEXINIT algorithm lists.

No HASSH fingerprints yet — firmware must capture and report.

Top JA3 fingerprints

MD5 over TLS ClientHello (only applicable when the listener speaks TLS).

No JA3 fingerprints yet — firmware must capture and report.

SSH probing

SSH key types

Algorithm of public keys offered before any password attempt.

ssh-rsa 12 92.3%

ssh-ed25519 1 7.7%

Key type	Count
`ssh-rsa`	12
`ssh-ed25519`	1

Top SSH key fingerprints

Fingerprint	Count
`SHA256:WL+QR9x+2QKzI6U4Ks7LPXWa0Vb22vjSn0groO1Ao8k`	8
`SHA256:f2HQeWaKQsmlbtBgUTxZfhSKRYU54OtEtSRitoTmOp4`	3
`SHA256:pjD1AGDXnd8PXgnrLAv7WTkPeV0xGAL0xooPKb2uyFI`	1
`SHA256:Wv4u5KOGs5/xiDvId+VaJ36TLUAy1ACQMDZSt441gP8`	1

Threat-intel reporting

Reported-to services

Where the firmware has already submitted these attacks (for cross-referencing — the hub does NOT re-submit).

Service	Count
`otx`	17940

HoneyMire Hub · open feed: / · API: /api · docs: /docs · blocklists: /blocklists · about: /about · firmware: github.com/HoneyMire/HoneyMire