HoneyMire Hub

Public stats

Aggregate attack telemetry from users who opted into the public feed. Auto-refreshes every 30s.

Total attacks291,742all-time
Attacks 24h6,796last 24 hours
Unique attackers13,425802 in 24h
Returning attackers4,52033.7% of uniques
Auth success rate97.4%182,704 of 187,505 known
Avg commands5.3per session
Avg session1.1 minduration
Public reporters1opted-in users
World coverage15.0%3/20 areas
Countries covered4honeypot locations
Public honeypots55 online · 0 offline
Commands captured825,016across all sessions
Avg severity3063,635 high/critical
CVE attempts0CVE-ID references seen
Pre-session probes11,478,699connects before sessions
Bandwidth in53.4 MiBfrom attackers
Bandwidth out70.4 MiBhoneypot replies
Avg response4 mshoneypot latency

Activity over time

Attacks per hour

Last 24 hours, hourly buckets.

Attacks per day

Last 7 days, midnight-UTC buckets.

Time of day (UTC)

All-time activity by UTC hour — when attackers hit the hub.

Time of day (attacker-local)

All-time activity by hour in the attacker's local time, approximated from their country code (DST ignored).

Day of week (UTC)

All-time activity by UTC weekday.

Honeypot fleet

World coverage

Coverage score is based on 20 practical deployment areas. One public honeypot in each area reaches 100%; extra honeypots add resilience but do not inflate the score.

Western Europe
3
North America - East
1
Southeast Asia
1

Honeypot countries

🇱🇺Luxembourg
2
🇫🇷France
1
🇸🇬Singapore
1
🇺🇸United States
1
CountryHoneypots
🇱🇺Luxembourg 2
🇫🇷France 1
🇸🇬Singapore 1
🇺🇸United States 1

Hardware boards

ESP32 variants reporting to public feeds.

docker-edge 4 80.0%
esp32-c3-supermini 1 20.0%
BoardCount
docker-edge 4
esp32-c3-supermini 1

Firmware versions

FirmwareCount
0.1.0 4
1.1.0 1

Sensors online/offline

Online = reported in the last 15 minutes.

online 5 100.0%
offline 0 0.0%

Sensor uptime distribution

How long each honeypot has been up since its last reboot, last reported by the firmware.

< 1 hour
1
7 – 30 days
4

Attack geography

Top source countries

🇨🇳China
65874
🇳🇱The Netherlands
46051
🇺🇸United States
38055
🇵🇰Pakistan
25425
🇷🇺Russia
8920
🇮🇳India
8268
🇵🇱Poland
7835
🇬🇧United Kingdom
7754
🇮🇷Iran
7671
🇮🇩Indonesia
6022
CountryAttacks
🇨🇳China 65874
🇳🇱The Netherlands 46051
🇺🇸United States 38055
🇵🇰Pakistan 25425
🇷🇺Russia 8920
🇮🇳India 8268
🇵🇱Poland 7835
🇬🇧United Kingdom 7754
🇮🇷Iran 7671
🇮🇩Indonesia 6022

Top target countries

🇱🇺Luxembourg
125374
🇫🇷France
65060
🇸🇬Singapore
53056
🇺🇸United States
48251
CountryAttacks
🇱🇺Luxembourg 125374
🇫🇷France 65060
🇸🇬Singapore 53056
🇺🇸United States 48251

Attacker → target countries

AttackerTargetCount
🇨🇳China 🇱🇺Luxembourg 33264
🇵🇰Pakistan 🇱🇺Luxembourg 24800
🇳🇱The Netherlands 🇱🇺Luxembourg 16387
🇺🇸United States 🇱🇺Luxembourg 14790
🇳🇱The Netherlands 🇫🇷France 13396
🇳🇱The Netherlands 🇸🇬Singapore 13166
🇨🇳China 🇫🇷France 12988
🇨🇳China 🇺🇸United States 11389
🇺🇸United States 🇺🇸United States 9536
🇺🇸United States 🇫🇷France 9114
🇨🇳China 🇸🇬Singapore 8233
🇷🇺Russia 🇱🇺Luxembourg 8018
🇺🇸United States 🇸🇬Singapore 4615
🇮🇩Indonesia 🇫🇷France 3176
🇳🇱The Netherlands 🇺🇸United States 3102

Attack attributes

Protocol split

telnet 194634 66.7%
ssh 97108 33.3%

Top target ports

Destination port the attacker connected to on the honeypot. Inferred from protocol when not reported.

23 (telnet)
194634
22 (ssh)
97108

Authentication outcomes

Whether the honeypot let the attacker in (after its configured threshold).

authenticated 182704 62.6%
unknown 104237 35.7%
rejected 4801 1.6%

Attacker profiles

Behavioral classification from the firmware.

creds-only 135562 46.5%
mirai 82174 28.2%
scripted 68756 23.6%
creds-probe 4512 1.5%
iot-loader 504 0.2%
scanner 234 0.1%
ProfileCount
creds-only 135562
mirai 82174
scripted 68756
creds-probe 4512
iot-loader 504
scanner 234

Network / ASN

Top ASNs

ASNCount
AS47890 UNMANAGED LTD 41734
AS4837 CHINA UNICOM China169 Backbone 25585
AS4134 CHINANET BACKBONE 22477
AS14061 DigitalOcean, LLC 22098
AS9541 Cyber Internet Services (Pvt) Ltd. 10499
AS8359 MTS PJSC 7448
AS58224 Iran Telecommunication Company PJS 6407
AS200730 ISAEV Igor 6115
AS4134 CHINANET-BACKBONE 5942
AS138423 CMPak Limited 4989

Network types

unknown 125891 43.2%
isp 83068 28.5%
residential 41703 14.3%
cdn 39715 13.6%
enterprise 1312 0.4%
education 52 0.0%
TypeCount
unknown 125891
isp 83068
residential 41703
cdn 39715
enterprise 1312
education 52

Top network providers

ProviderCount
Unmanaged LTD 41734
China Telecom 30559
China Unicom 25592
DigitalOcean 22101
Cyber Internet Services 10499
Mobile TeleSystems PJSC 7448
CMPak Limited 6645
ISAEV Igor 6115
BULLETGROUP 4928
Cogent Communications 4593

Target exposure by provider

Target ISP / networkCount
POST Luxembourg 65940
OVH SAS 65060
Servers.com, Inc. 59434
M247 Europe SRL 53057
HostPapa 48251

Network confidence

medium 165850 56.8%
low 125890 43.2%
unknown 1 0.0%

ASN → target countries

ASNTargetCount
AS4837 CHINA UNICOM China169 Backbone 🇱🇺Luxembourg 20849
AS47890 UNMANAGED LTD 🇱🇺Luxembourg 15471
AS47890 UNMANAGED LTD 🇫🇷France 13112
AS47890 UNMANAGED LTD 🇸🇬Singapore 10745
AS9541 Cyber Internet Services (Pvt) Ltd. 🇱🇺Luxembourg 10285
AS8359 MTS PJSC 🇱🇺Luxembourg 7419
AS4134 CHINANET BACKBONE 🇺🇸United States 6734
AS14061 DigitalOcean, LLC 🇱🇺Luxembourg 6438
AS4134 CHINANET BACKBONE 🇫🇷France 6435
AS14061 DigitalOcean, LLC 🇫🇷France 5818
AS4134 CHINANET BACKBONE 🇱🇺Luxembourg 5334
AS14061 DigitalOcean, LLC 🇺🇸United States 5104
AS138423 CMPak Limited 🇱🇺Luxembourg 4941
AS14061 DigitalOcean, LLC 🇸🇬Singapore 4738
AS398779 Ace Host, LLC 🇱🇺Luxembourg 4480

ASN → target ASN

Attacker ASNTarget ASNCount
AS4837 CHINA UNICOM China169 Backbone AS6661 POST Luxembourg 19062
AS47890 UNMANAGED LTD AS7979 Servers.com, Inc. 15471
AS47890 UNMANAGED LTD AS16276 OVH SAS 13112
AS47890 UNMANAGED LTD AS9009 M247 Europe SRL 10745
AS9541 Cyber Internet Services (Pvt) Ltd. AS6661 POST Luxembourg 10088
AS8359 MTS PJSC AS6661 POST Luxembourg 7407
AS4134 CHINANET BACKBONE AS36352 HostPapa 6734
AS4134 CHINANET BACKBONE AS16276 OVH SAS 6435
AS14061 DigitalOcean, LLC AS16276 OVH SAS 5818
AS4134 CHINANET BACKBONE AS7979 Servers.com, Inc. 5150
AS14061 DigitalOcean, LLC AS36352 HostPapa 5104
AS138423 CMPak Limited AS6661 POST Luxembourg 4884
AS14061 DigitalOcean, LLC AS7979 Servers.com, Inc. 4774
AS14061 DigitalOcean, LLC AS9009 M247 Europe SRL 4738
AS398779 Ace Host, LLC AS7979 Servers.com, Inc. 4480

Network type → target countries

Network typeTargetCount
isp 🇱🇺Luxembourg 47961
unknown 🇱🇺Luxembourg 45246
unknown 🇫🇷France 31132
unknown 🇸🇬Singapore 27121
unknown 🇺🇸United States 22392
residential 🇱🇺Luxembourg 21475
cdn 🇫🇷France 14343
isp 🇫🇷France 12838
isp 🇺🇸United States 12140
cdn 🇱🇺Luxembourg 10400
isp 🇸🇬Singapore 10129
residential 🇸🇬Singapore 8611
cdn 🇺🇸United States 8534
residential 🇫🇷France 6571
cdn 🇸🇬Singapore 6438

Credentials & content

Top attacker IPs

Most active source addresses on the public feed.

IPCount
87.251.64.176 6115
80.94.92.128 5381
80.94.92.167 5175
80.94.92.177 4697
80.94.92.164 4565
80.94.92.187 4553
38.95.14.214 4480
104.131.69.242 3390
80.94.92.165 2947
103.102.153.9 2717

Top credential pairs

Aggregated across public feeds.

user : passCount
system:shell 20951
support:support 7470
0:0 4828
sol:sol 3948
root: 3269
admin:admin 3055
root:Zte521 2989
shell:sh 2639
solana:solana 2264
root:root 1994

Top usernames

Aggregated across public feeds.

UsernameCount
root 78272
admin 31688
system 21543
sol 10904
support 9063
solana 7697
ubuntu 6529
default 5381
0 4828
guest 4516

Top passwords

Aggregated across public feeds.

PasswordCount
shell 20952
123456 9109
support 7473
1234 7342
admin 6110
12345 4964
0 4875
sol 4524
12345678 3411
solana 3098

Top command chains

Command chainCount
/bin/./uname -s -v -n -r -m 38225
sh /bin/busybox UNSTABLE 14390
uname -s -v -n -r -m 10050
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH uname=$(uname -s -v -n -m 2>/dev/null) arch=$(uname -m 2>/dev/null) uptime=$(cat /proc/uptime 2>/d... 5322
cd ~; chattr -ia .ssh; lockr -ia .ssh 5236
uname -a 3802
sh 3122
start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd... 2348
start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd... 2051
sh >/tmp/.ptmx && cd /tmp/ >/var/tmp/.ptmx && cd /var/tmp/ >/var/run/.ptmx && cd /var/run/ >/dev/shm/.ptmx && cd /dev/shm/ >/run/.ptmx && cd /run/ >/jffs/.ptmx && cd /jffs/ >/jf... 1949

Top malware URLs

URLCount
http://192.168.1.1:8088/i 17091
http://81.229.60.159:58639/i 9438
http://90.224.208.190:45821/i 7044
http://110.36.13.229:34353/i 6153
http://36.250.202.123:37861/i 4782
http://90.228.239.131:37930/i 3846
http://109.236.46.215:59913/i 3723
http://112.248.105.102:44168/i 3498
http://95.155.243.196:38537/i 2529
http://174.105.154.212:40964/i 2427

Threat assessment

Severity distribution

Hub-computed score (0-100) per attack: informational ≤ 1, low < 40, medium < 70, high < 90, critical ≥ 90. Older rows that pre-date scoring show as unscored.

informational 107354 36.8%
low 101692 34.9%
medium 19061 6.5%
high 63627 21.8%
critical 8 0.0%
BandCount
informational 107354
low 101692
medium 19061
high 63627
critical 8

Top CVE references

CVE-IDs extracted from command summaries (and explicit firmware reports). Useful for spotting CVE-driven scanner waves.

No CVE references seen yet.

Top reverse-DNS suffixes

Last 2-3 labels of the PTR record per attacker IP. Local resolver only — no third-party intel feeds.

SuffixCount
ny.adsl 9682
mts-chita.ru 7408
lionwire.com 4480
fastcloud.id 2717
secureserver.net 1761
hinet.net 1759
tronicsat.com 1753
hostforweb.net 1593
wateen.net 1537
spryt.net 1455
163data.com.cn 1444
personaliseplus.com 1416

Client fingerprints

Top client banners

Raw banner the attacker tool announced (e.g. SSH-2.0-libssh_0.9.6).

BannerCount
SSH-2.0-Go 72814
root 25388
admin 15935
SSH-2.0-PuTTY_Release_0.84 7429
SSH-2.0-libssh_0.9.6 4673
SSH-2.0-OpenSSH_7.4 3351
SSH-2.0-libssh2_1.8.1 3036
guest 1431
super 1304
support 1141

Top HASSH fingerprints

MD5 over SSH client KEXINIT algorithm lists.

No HASSH fingerprints yet — firmware must capture and report.

Top JA3 fingerprints

MD5 over TLS ClientHello (only applicable when the listener speaks TLS).

No JA3 fingerprints yet — firmware must capture and report.

SSH probing

SSH key types

Algorithm of public keys offered before any password attempt.

ssh-rsa 14 93.3%
ssh-ed25519 1 6.7%
Key typeCount
ssh-rsa 14
ssh-ed25519 1

Top SSH key fingerprints

FingerprintCount
SHA256:WL+QR9x+2QKzI6U4Ks7LPXWa0Vb22vjSn0groO1Ao8k 8
SHA256:f2HQeWaKQsmlbtBgUTxZfhSKRYU54OtEtSRitoTmOp4 3
SHA256:TVLyd6EqeDPt6s0oQtYUYAUCygiABg6kAEGstS2pq7U 2
SHA256:pjD1AGDXnd8PXgnrLAv7WTkPeV0xGAL0xooPKb2uyFI 1
SHA256:Wv4u5KOGs5/xiDvId+VaJ36TLUAy1ACQMDZSt441gP8 1

Threat-intel reporting

Reported-to services

Where the firmware has already submitted these attacks (for cross-referencing — the hub does NOT re-submit).

ServiceCount
otx 32021

HoneyMire Hub · open feed: / · API: /api · docs: /docs · blocklists: /blocklists · about: /about · firmware: github.com/HoneyMire/HoneyMire