Here's a number of lists of IP addresses, usernames, and URLs that have been used against my servers and honeypots.


Creative Commons License
These blocklists are made available under the Creative Commons Attribution-ShareAlike 4.0 International License.

Naughty URLs in CSV format with source IP and date

URLs used by people testing my webservers for vulnerabilities.
Four columns: Source IP, Date, Protocol, URL.
Click to download

Naughty URLs with use count

URLs used by people testing my webservers for vulnerabilities. Not per IP or date, but smushed together with a count of occurances
Two columns: Occurances, URL.
Click to download

Usernames used in brute-force attacks

Usernames used in password-guessing attacks.
Three columns: Number of attempts, Username, Protocol (telnet or ssh)
Click to download

IP sources of brute-force attacks

IPs that attempted password-guessing attacks.
Three columns: Source IP, Date, Protocol (telnet or ssh)
Click to download

Passwords in active use by Bruteforcers

Passwords that are being used by bruteforcers to try to log into my systems. Gathered using my pam_honeycreds PAM Module. If your password is in this list, you probably need to change it. Maybe you should use my Hashrat tool to generate strong passwords?
Two columns: Number of uses, Password
Click to download

Attempts to use the 'Shellshock' bug

IPs that attempted to compromise my webservers using the 'shellshock' vulnerability in the unix bash shell. Three columns: Source IP, Date, HTTP header that contains shellshock Click to download