What is this site?

This site lets you verify if your IP address was seen doing something bad by our honeypots. If yes, it probably means that there is some malicious code running on it as a result of a successful break-in.

How does it work?

We check more than a thousand routers and observe whether attackers are trying to break into the system. As of now, we have seen more than 15 million IP addresses actively trying this and so we decided to provide this service.

For every attempt to login to our honeypot we create a record of the attackers IP address and the time. The we compile this data into a database used by this website. It can tell you if we have seen a specific IP address and in case of positive answer when we saw it first, when last and what was the overall number of attempts.

You say I am positive - what should I do?

Stay calm. IP addresses are not always a perfect way of identifying something on the Internet, especially when time is involved. While you should certainly make some investigation into the possibility that your device has been compromised, there is a chance that you are clean. The IP address we observe might be the address of a router in front of your device doing NAT. In such case, the attack might have come from a different device behind the same NAT, not your device. Also, IP addresses change with time. You might be assigned a different IP address by your provider every week. Therefore, have a look at the times of the first and last activity we report and determine if it is likely that your device had the same IP address at that time.

Good, I test negative

Great! But please keep in mind that what we check is very limited. We do not do any antivirus scans, nor any other active test of your device or IP address. We just have not seen any activity from your IP address in our honeypot. While a positive result is certainly a reason for investigation, negative result cannot be taken as proof of device security. Also keep in mind that we see tens of thousands new IP addresses every day :(.

Web API

We are providing a simple web API which can be used to check whether a given IP address is present in our list.

You need to have an account to use our web API. You can register using our registration page. Note that a valid email address has to be provided to pass through the registration.

If you already have a valid account you need to log in to obrain a valid web API token.

Record types

SSH honeypot Established connections from examined IP address to one of our SSH honeypots.
ssh
Telnet 23 Login attempts to our telnet honeypots (port 23).
telnet
Telnet 2323 Login attempts to our telnet honeypots (port 2323).
telnet_alt
Http 80 Number of requests to our http honeypots (port 80).
http
Http 8080 Number of requests to our http honeypots (port 8080).
http_proxy
Http 3128 Number of requests to our http honeypots (port 3128). Port 3128 is commonly used as a http proxy (squid).
squid_http_proxy
Http 8123 Number of requests to our http honeypots (port 8123). Port 8123 is commonly used as a http proxy (polipo).
polipo_http_proxy

About us

This website was created by CZ.NIC, the .CZ domain registry based on results from honeypots installed as part of project Turris. To learn more about the project, visit its website.