Stats · HoneyMire Hub

Public stats

Aggregate attack telemetry from users who opted into the public feed. Auto-refreshes every 30s.

Total attacks291,742all-time

Attacks 24h6,796last 24 hours

Unique attackers13,425802 in 24h

Returning attackers4,52033.7% of uniques

Auth success rate97.4%182,704 of 187,505 known

Avg commands5.3per session

Avg session1.1 minduration

Public reporters1opted-in users

World coverage15.0%3/20 areas

Countries covered4honeypot locations

Public honeypots55 online · 0 offline

Commands captured825,016across all sessions

Avg severity3063,635 high/critical

CVE attempts0CVE-ID references seen

Pre-session probes11,478,699connects before sessions

Bandwidth in53.4 MiBfrom attackers

Bandwidth out70.4 MiBhoneypot replies

Avg response4 mshoneypot latency

Activity over time

Attacks per hour

Last 24 hours, hourly buckets.

Attacks per day

Last 7 days, midnight-UTC buckets.

06-23

06-24

06-25

06-26

06-27

06-28

06-29

Time of day (UTC)

All-time activity by UTC hour — when attackers hit the hub.

Time of day (attacker-local)

All-time activity by hour in the attacker's local time, approximated from their country code (DST ignored).

Day of week (UTC)

All-time activity by UTC weekday.

Sun

Mon

Tue

Wed

Thu

Fri

Sat

Honeypot fleet

World coverage

Coverage score is based on 20 practical deployment areas. One public honeypot in each area reaches 100%; extra honeypots add resilience but do not inflate the score.

Western Europe

North America - East

Southeast Asia

Honeypot countries

🇱🇺Luxembourg

🇫🇷France

🇸🇬Singapore

🇺🇸United States

Country	Honeypots
🇱🇺Luxembourg	2
🇫🇷France	1
🇸🇬Singapore	1
🇺🇸United States	1

Hardware boards

ESP32 variants reporting to public feeds.

docker-edge 4 80.0%

esp32-c3-supermini 1 20.0%

Board	Count
`docker-edge`	4
`esp32-c3-supermini`	1

Firmware versions

Firmware	Count
`0.1.0`	4
`1.1.0`	1

Sensors online/offline

Online = reported in the last 15 minutes.

online 5 100.0%

offline 0 0.0%

Sensor uptime distribution

How long each honeypot has been up since its last reboot, last reported by the firmware.

< 1 hour

7 – 30 days

Attack geography

Top source countries

🇨🇳China

65874

🇳🇱The Netherlands

46051

🇺🇸United States

38055

🇵🇰Pakistan

25425

🇷🇺Russia

8920

🇮🇳India

8268

🇵🇱Poland

7835

🇬🇧United Kingdom

7754

🇮🇷Iran

7671

🇮🇩Indonesia

6022

Country	Attacks
🇨🇳China	65874
🇳🇱The Netherlands	46051
🇺🇸United States	38055
🇵🇰Pakistan	25425
🇷🇺Russia	8920
🇮🇳India	8268
🇵🇱Poland	7835
🇬🇧United Kingdom	7754
🇮🇷Iran	7671
🇮🇩Indonesia	6022

Top target countries

🇱🇺Luxembourg

125374

🇫🇷France

65060

🇸🇬Singapore

53056

🇺🇸United States

48251

Country	Attacks
🇱🇺Luxembourg	125374
🇫🇷France	65060
🇸🇬Singapore	53056
🇺🇸United States	48251

Attacker → target countries

Attacker	Target	Count
🇨🇳China	🇱🇺Luxembourg	33264
🇵🇰Pakistan	🇱🇺Luxembourg	24800
🇳🇱The Netherlands	🇱🇺Luxembourg	16387
🇺🇸United States	🇱🇺Luxembourg	14790
🇳🇱The Netherlands	🇫🇷France	13396
🇳🇱The Netherlands	🇸🇬Singapore	13166
🇨🇳China	🇫🇷France	12988
🇨🇳China	🇺🇸United States	11389
🇺🇸United States	🇺🇸United States	9536
🇺🇸United States	🇫🇷France	9114
🇨🇳China	🇸🇬Singapore	8233
🇷🇺Russia	🇱🇺Luxembourg	8018
🇺🇸United States	🇸🇬Singapore	4615
🇮🇩Indonesia	🇫🇷France	3176
🇳🇱The Netherlands	🇺🇸United States	3102

Attack attributes

Protocol split

telnet 194634 66.7%

ssh 97108 33.3%

Top target ports

Destination port the attacker connected to on the honeypot. Inferred from protocol when not reported.

23 (telnet)

194634

22 (ssh)

97108

Authentication outcomes

Whether the honeypot let the attacker in (after its configured threshold).

authenticated 182704 62.6%

unknown 104237 35.7%

rejected 4801 1.6%

Attacker profiles

Behavioral classification from the firmware.

creds-only 135562 46.5%

mirai 82174 28.2%

scripted 68756 23.6%

creds-probe 4512 1.5%

iot-loader 504 0.2%

scanner 234 0.1%

Profile	Count
`creds-only`	135562
`mirai`	82174
`scripted`	68756
`creds-probe`	4512
`iot-loader`	504
`scanner`	234

Network / ASN

Top ASNs

ASN	Count
`AS47890 UNMANAGED LTD`	41734
`AS4837 CHINA UNICOM China169 Backbone`	25585
`AS4134 CHINANET BACKBONE`	22477
`AS14061 DigitalOcean, LLC`	22098
`AS9541 Cyber Internet Services (Pvt) Ltd.`	10499
`AS8359 MTS PJSC`	7448
`AS58224 Iran Telecommunication Company PJS`	6407
`AS200730 ISAEV Igor`	6115
`AS4134 CHINANET-BACKBONE`	5942
`AS138423 CMPak Limited`	4989

Network types

unknown 125891 43.2%

isp 83068 28.5%

residential 41703 14.3%

cdn 39715 13.6%

enterprise 1312 0.4%

education 52 0.0%

Type	Count
unknown	125891
isp	83068
residential	41703
cdn	39715
enterprise	1312
education	52

Top network providers

Provider	Count
Unmanaged LTD	41734
China Telecom	30559
China Unicom	25592
DigitalOcean	22101
Cyber Internet Services	10499
Mobile TeleSystems PJSC	7448
CMPak Limited	6645
ISAEV Igor	6115
BULLETGROUP	4928
Cogent Communications	4593

Target exposure by provider

Target ISP / network	Count
POST Luxembourg	65940
OVH SAS	65060
Servers.com, Inc.	59434
M247 Europe SRL	53057
HostPapa	48251

Network confidence

medium 165850 56.8%

low 125890 43.2%

unknown 1 0.0%

ASN → target countries

ASN	Target	Count
`AS4837 CHINA UNICOM China169 Backbone`	🇱🇺Luxembourg	20849
`AS47890 UNMANAGED LTD`	🇱🇺Luxembourg	15471
`AS47890 UNMANAGED LTD`	🇫🇷France	13112
`AS47890 UNMANAGED LTD`	🇸🇬Singapore	10745
`AS9541 Cyber Internet Services (Pvt) Ltd.`	🇱🇺Luxembourg	10285
`AS8359 MTS PJSC`	🇱🇺Luxembourg	7419
`AS4134 CHINANET BACKBONE`	🇺🇸United States	6734
`AS14061 DigitalOcean, LLC`	🇱🇺Luxembourg	6438
`AS4134 CHINANET BACKBONE`	🇫🇷France	6435
`AS14061 DigitalOcean, LLC`	🇫🇷France	5818
`AS4134 CHINANET BACKBONE`	🇱🇺Luxembourg	5334
`AS14061 DigitalOcean, LLC`	🇺🇸United States	5104
`AS138423 CMPak Limited`	🇱🇺Luxembourg	4941
`AS14061 DigitalOcean, LLC`	🇸🇬Singapore	4738
`AS398779 Ace Host, LLC`	🇱🇺Luxembourg	4480

ASN → target ASN

Attacker ASN	Target ASN	Count
`AS4837 CHINA UNICOM China169 Backbone`	`AS6661 POST Luxembourg`	19062
`AS47890 UNMANAGED LTD`	`AS7979 Servers.com, Inc.`	15471
`AS47890 UNMANAGED LTD`	`AS16276 OVH SAS`	13112
`AS47890 UNMANAGED LTD`	`AS9009 M247 Europe SRL`	10745
`AS9541 Cyber Internet Services (Pvt) Ltd.`	`AS6661 POST Luxembourg`	10088
`AS8359 MTS PJSC`	`AS6661 POST Luxembourg`	7407
`AS4134 CHINANET BACKBONE`	`AS36352 HostPapa`	6734
`AS4134 CHINANET BACKBONE`	`AS16276 OVH SAS`	6435
`AS14061 DigitalOcean, LLC`	`AS16276 OVH SAS`	5818
`AS4134 CHINANET BACKBONE`	`AS7979 Servers.com, Inc.`	5150
`AS14061 DigitalOcean, LLC`	`AS36352 HostPapa`	5104
`AS138423 CMPak Limited`	`AS6661 POST Luxembourg`	4884
`AS14061 DigitalOcean, LLC`	`AS7979 Servers.com, Inc.`	4774
`AS14061 DigitalOcean, LLC`	`AS9009 M247 Europe SRL`	4738
`AS398779 Ace Host, LLC`	`AS7979 Servers.com, Inc.`	4480

Network type → target countries

Network type	Target	Count
isp	🇱🇺Luxembourg	47961
unknown	🇱🇺Luxembourg	45246
unknown	🇫🇷France	31132
unknown	🇸🇬Singapore	27121
unknown	🇺🇸United States	22392
residential	🇱🇺Luxembourg	21475
cdn	🇫🇷France	14343
isp	🇫🇷France	12838
isp	🇺🇸United States	12140
cdn	🇱🇺Luxembourg	10400
isp	🇸🇬Singapore	10129
residential	🇸🇬Singapore	8611
cdn	🇺🇸United States	8534
residential	🇫🇷France	6571
cdn	🇸🇬Singapore	6438

Credentials & content

Top attacker IPs

Most active source addresses on the public feed.

IP	Count
`87.251.64.176`	6115
`80.94.92.128`	5381
`80.94.92.167`	5175
`80.94.92.177`	4697
`80.94.92.164`	4565
`80.94.92.187`	4553
`38.95.14.214`	4480
`104.131.69.242`	3390
`80.94.92.165`	2947
`103.102.153.9`	2717

Top credential pairs

Aggregated across public feeds.

user : pass	Count
`system:shell`	20951
`support:support`	7470
`0:0`	4828
`sol:sol`	3948
`root:`	3269
`admin:admin`	3055
`root:Zte521`	2989
`shell:sh`	2639
`solana:solana`	2264
`root:root`	1994

Top usernames

Aggregated across public feeds.

Username	Count
`root`	78272
`admin`	31688
`system`	21543
`sol`	10904
`support`	9063
`solana`	7697
`ubuntu`	6529
`default`	5381
`0`	4828
`guest`	4516

Top passwords

Aggregated across public feeds.

Password	Count
`shell`	20952
`123456`	9109
`support`	7473
`1234`	7342
`admin`	6110
`12345`	4964
`0`	4875
`sol`	4524
`12345678`	3411
`solana`	3098

Top command chains

Command chain	Count
`/bin/./uname -s -v -n -r -m`	38225
`sh /bin/busybox UNSTABLE`	14390
`uname -s -v -n -r -m`	10050
`export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH uname=$(uname -s -v -n -m 2>/dev/null) arch=$(uname -m 2>/dev/null) uptime=$(cat /proc/uptime 2>/d...`	5322
`cd ~; chattr -ia .ssh; lockr -ia .ssh`	5236
`uname -a`	3802
`sh`	3122
`start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd...`	2348
`start enable config terminal system linuxshell su shell sh >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd...`	2051
`sh >/tmp/.ptmx && cd /tmp/ >/var/tmp/.ptmx && cd /var/tmp/ >/var/run/.ptmx && cd /var/run/ >/dev/shm/.ptmx && cd /dev/shm/ >/run/.ptmx && cd /run/ >/jffs/.ptmx && cd /jffs/ >/jf...`	1949

Top malware URLs

URL	Count
`http://192.168.1.1:8088/i`	17091
`http://81.229.60.159:58639/i`	9438
`http://90.224.208.190:45821/i`	7044
`http://110.36.13.229:34353/i`	6153
`http://36.250.202.123:37861/i`	4782
`http://90.228.239.131:37930/i`	3846
`http://109.236.46.215:59913/i`	3723
`http://112.248.105.102:44168/i`	3498
`http://95.155.243.196:38537/i`	2529
`http://174.105.154.212:40964/i`	2427

Threat assessment

Severity distribution

Hub-computed score (0-100) per attack: informational ≤ 1, low < 40, medium < 70, high < 90, critical ≥ 90. Older rows that pre-date scoring show as unscored.

informational 107354 36.8%

low 101692 34.9%

medium 19061 6.5%

high 63627 21.8%

critical 8 0.0%

Band	Count
informational	107354
low	101692
medium	19061
high	63627
critical	8

Top CVE references

CVE-IDs extracted from command summaries (and explicit firmware reports). Useful for spotting CVE-driven scanner waves.

No CVE references seen yet.

Top reverse-DNS suffixes

Last 2-3 labels of the PTR record per attacker IP. Local resolver only — no third-party intel feeds.

Suffix	Count
`ny.adsl`	9682
`mts-chita.ru`	7408
`lionwire.com`	4480
`fastcloud.id`	2717
`secureserver.net`	1761
`hinet.net`	1759
`tronicsat.com`	1753
`hostforweb.net`	1593
`wateen.net`	1537
`spryt.net`	1455
`163data.com.cn`	1444
`personaliseplus.com`	1416

Client fingerprints

Top client banners

Raw banner the attacker tool announced (e.g. SSH-2.0-libssh_0.9.6).

Banner	Count
`SSH-2.0-Go`	72814
`root`	25388
`admin`	15935
`SSH-2.0-PuTTY_Release_0.84`	7429
`SSH-2.0-libssh_0.9.6`	4673
`SSH-2.0-OpenSSH_7.4`	3351
`SSH-2.0-libssh2_1.8.1`	3036
`guest`	1431
`super`	1304
`support`	1141

Top HASSH fingerprints

MD5 over SSH client KEXINIT algorithm lists.

No HASSH fingerprints yet — firmware must capture and report.

Top JA3 fingerprints

MD5 over TLS ClientHello (only applicable when the listener speaks TLS).

No JA3 fingerprints yet — firmware must capture and report.

SSH probing

SSH key types

Algorithm of public keys offered before any password attempt.

ssh-rsa 14 93.3%

ssh-ed25519 1 6.7%

Key type	Count
`ssh-rsa`	14
`ssh-ed25519`	1

Top SSH key fingerprints

Fingerprint	Count
`SHA256:WL+QR9x+2QKzI6U4Ks7LPXWa0Vb22vjSn0groO1Ao8k`	8
`SHA256:f2HQeWaKQsmlbtBgUTxZfhSKRYU54OtEtSRitoTmOp4`	3
`SHA256:TVLyd6EqeDPt6s0oQtYUYAUCygiABg6kAEGstS2pq7U`	2
`SHA256:pjD1AGDXnd8PXgnrLAv7WTkPeV0xGAL0xooPKb2uyFI`	1
`SHA256:Wv4u5KOGs5/xiDvId+VaJ36TLUAy1ACQMDZSt441gP8`	1

Threat-intel reporting

Reported-to services

Where the firmware has already submitted these attacks (for cross-referencing — the hub does NOT re-submit).

Service	Count
`otx`	32021

HoneyMire Hub · open feed: / · API: /api · docs: /docs · blocklists: /blocklists · about: /about · firmware: github.com/HoneyMire/HoneyMire