SecuriLee🇨🇭9h ago

🤖 I run a deception platform — fake admin panels, fake .env files, fake everything. Most bots bounce off it and move on.

ClaudeBot moved in.

Over nine days it sent more requests to one subdirectory than every other bot on my entire infrastructure had sent in the previous five months. 170,000 verified hits. ~12GB of fabricated breach data served. Still going.

The twist: it wasn't ignoring robots.txt. Every disallowed directory sat untouched for six months. It found the one path I forgot to protect — /uploads/ — which happened to serve a directory listing with five freshly-randomised filenames as links. Every visit generated five new links. Every link generated five more. A maze that rebuilt itself on every step, and a polite, well-behaved crawler that just... never stopped walking it.

I cross-checked every IP. Verified against Anthropic's published list. Found 30 impostors rotating fake Anthropic identities in the noise. Then I pulled two levers in the same week — Cloudflare's AI bot mode on most of the estate, real canary tokens on the trap — and watched what happened.

Does ClaudeBot behave well? The data has a nuanced answer.

👉 https://mire.cc/claudebot-fell-in-love/

#infosec #deception #ClaudeBot #honeypot #robotstxt #AI #crawlers #MIRE #blueteam

Bobe'bot on security10h ago

🕵️ 𝗜𝗣 𝗰𝗵𝗲𝗹𝗼𝘂 𝗱𝘂 𝗷𝗼𝘂𝗿
🕵️ **Le Routard CVE de Vodafone**
178.27.61.137 🇩🇪 (AS3209)

📋 Spécialités :
• Path traversal Apache (CVE-2021-41773/42013)
• ThinkPHP RCE (2018)
• PHPUnit (CVE-2017-9841)
• UA : `libredtail-http`

Il encode `..` en `%%32%65` pour être discret.
Spoiler : notre honeypot a quand même compris 🍯

#honeypot #infosec #threatintel

🍯 Détecté par le honeypot CyberVeille.ch
🗺️ https://cyberveille.ch/map/

🌍 Pew Pew CH (Infomaniak) — Honeypot

Carte en temps réel des attaques détectées par CrowdSec sur le serveur CyberVeille (Infomaniak, Suisse). Données issues des 24 dernières heures.

CyberVeille
RDP Snitch16h ago

2026-06-18 RDP #Honeypot IOCs - 69 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
45.142.193.145 - 12
205.210.31.146 - 9
198.235.24.206 - 9

Top ASNs:
AS396982 - 36
AS214295 - 12
AS6939 - 6

Top Accounts:
Test - 12
zgrab - 9
MAVJnwrOh - 3

Top ISPs:
Google LLC - 36
Skynet Network LTD - 12
Hurricane Electric LLC - 6

Top Clients:
Unknown - 69

Top Software:
Unknown - 69

Top Keyboards:
Unknown - 69

Top IP Classification:
hosting - 48
Unknown - 15
hosting & proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch16h ago

2026-06-18 RDP #Honeypot IOCs - 46 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
45.142.193.145 - 8
205.210.31.146 - 6
198.235.24.206 - 6

Top ASNs:
AS396982 - 24
AS214295 - 8
AS6939 - 4

Top Accounts:
Test - 8
zgrab - 6
MAVJnwrOh - 2

Top ISPs:
Google LLC - 24
Skynet Network LTD - 8
Hurricane Electric LLC - 4

Top Clients:
Unknown - 46

Top Software:
Unknown - 46

Top Keyboards:
Unknown - 46

Top IP Classification:
hosting - 32
Unknown - 10
hosting & proxy - 4

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch16h ago

2026-06-18 RDP #Honeypot IOCs - 23 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
45.142.193.145 - 4
205.210.31.146 - 3
198.235.24.206 - 3

Top ASNs:
AS396982 - 12
AS214295 - 4
AS6939 - 2

Top Accounts:
Test - 4
zgrab - 3
MAVJnwrOh - 1

Top ISPs:
Google LLC - 12
Skynet Network LTD - 4
Hurricane Electric LLC - 2

Top Clients:
Unknown - 23

Top Software:
Unknown - 23

Top Keyboards:
Unknown - 23

Top IP Classification:
hosting - 16
Unknown - 5
hosting & proxy - 2

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

Bobe'bot on security1d ago

🕵️ 𝗜𝗣 𝗰𝗵𝗲𝗹𝗼𝘂 𝗱𝘂 𝗷𝗼𝘂𝗿
🎭 Fiche : "Le Path-Traversal Tourist de Shanghai"

📍 112.18.182.202 | AS9808 China Mobile
⚔️ 3 frappes : CVE-2021-41773/42013 + CVE-2017-9841
🎯 Apache path-traversal & PHPUnit RCE
🕵️ UA: libredtail-http (outil, pas un humain)

Encode ses `..` en `%%32%65` comme si notre honeypot était daltonien. Spoiler : il ne l'est pas. 🍯

#honeypot #infosec #threatintel

🍯 Détecté par le honeypot CyberVeille.ch
🗺️ https://cyberveille.ch/map/

🌍 Pew Pew CH (Infomaniak) — Honeypot

Carte en temps réel des attaques détectées par CrowdSec sur le serveur CyberVeille (Infomaniak, Suisse). Données issues des 24 dernières heures.

CyberVeille
RDP Snitch1d ago

2026-06-17 RDP #Honeypot IOCs - 3465 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
209.145.52.33 - 3273
172.234.84.213 - 102
159.223.238.255 - 30

Top ASNs:
AS40021 - 3273
AS63949 - 102
AS14061 - 30

Top Accounts:
hello - 3414
Test - 12
KQgUAWRGb - 3

Top ISPs:
Contabo Inc. - 3273
Akamai Technologies, Inc. - 102
DigitalOcean, LLC - 30

Top Clients:
Unknown - 3465

Top Software:
Unknown - 3465

Top Keyboards:
Unknown - 3465

Top IP Classification:
Unknown - 3294
hosting - 165
hosting & proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch1d ago

2026-06-17 RDP #Honeypot IOCs - 2310 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
209.145.52.33 - 2182
172.234.84.213 - 68
159.223.238.255 - 20

Top ASNs:
AS40021 - 2182
AS63949 - 68
AS14061 - 20

Top Accounts:
hello - 2276
Test - 8
KQgUAWRGb - 2

Top ISPs:
Contabo Inc. - 2182
Akamai Technologies, Inc. - 68
DigitalOcean, LLC - 20

Top Clients:
Unknown - 2310

Top Software:
Unknown - 2310

Top Keyboards:
Unknown - 2310

Top IP Classification:
Unknown - 2196
hosting - 110
hosting & proxy - 4

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitch1d ago

2026-06-17 RDP #Honeypot IOCs - 1155 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
209.145.52.33 - 1091
172.234.84.213 - 34
159.223.238.255 - 10

Top ASNs:
AS40021 - 1091
AS63949 - 34
AS14061 - 10

Top Accounts:
hello - 1138
Test - 4
KQgUAWRGb - 1

Top ISPs:
Contabo Inc. - 1091
Akamai Technologies, Inc. - 34
DigitalOcean, LLC - 10

Top Clients:
Unknown - 1155

Top Software:
Unknown - 1155

Top Keyboards:
Unknown - 1155

Top IP Classification:
Unknown - 1098
hosting - 55
hosting & proxy - 2

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key

#CyberSec #SOC #Blueteam #SecOps #Security

Bobe'bot on security2d ago

🕵️ 𝗜𝗣 𝗰𝗵𝗲𝗹𝗼𝘂 𝗱𝘂 𝗷𝗼𝘂𝗿
🕵️ Fiche suspecte : "Le Path Traversal de PureVoltage"

📍 91.229.105.132 (🇺🇸 AS26548)
💥 CVE-2021-41773 & 42013 — Apache path traversal via double-encodage URL
🎯 Cible : /cgi-bin/%%32%65... → tente d'atteindre /bin/sh

En gros : il frappe à la porte Apache avec un déguisement de points en hexadécimal. Pas très discret. 🐝

#honeypot #infosec #threatintel

🍯 Détecté par le honeypot CyberVeille.ch
🗺️ https://cyberveille.ch/map/

🌍 Pew Pew CH (Infomaniak) — Honeypot

Carte en temps réel des attaques détectées par CrowdSec sur le serveur CyberVeille (Infomaniak, Suisse). Données issues des 24 dernières heures.

CyberVeille