Running telnetlogger on my home IP

Published by Christian Mohn · Read in about 3 min (433 words)

Robert Graham of erratasec has created a small honeypot tool called telnetlogger.

This is a simple program to log login attempts on Telnet (port 23). It's designed to track the Mirai botnet. Right now (Oct 23, 2016) infected Mirai machines from around the world are trying to connect to Telnet on every IP address about once per minute. This program logs both which IP addresses are doing the attempts, and which passwords they are using.

For those still unaware of what the Mirai botnet is, it’s basically malware that scans for vulnerable devices with port 23 (telnet) open to the outside world, and tries to log on with known hardcoded credentials.

Compromised devices have then been used to launch some of the largest DDoS attacks seen to date. For more details, check out Breaking Down Mirai: An IoT DDoS Botnet Analysis and Double-dip Internet-of-Things botnet attack felt across the Internet

Photo credit:

Yes, Mirai is not your grandmothers botnet.

I figured it would be a nice little thing to try out, so I spun up a small Linux VM, compiled telnetlogger telnetlogger, ran it and opened inbound port 23 (telnet) on my firewall at home.

And guess what, it took all of 1 second before I saw the first connection attempt! I let the honeypot service run for a few hours (about 8 or so), and here are the results, as aggregated by HoneyCredIPTracker by Daniel Miessler

Top connection attempts, sorted by country #

36 TW

32 VN

28 BR

26 TR

22 IN

18 RU

14 UA

12 US

12 CN

8 PK

8 MX

8 FR

6 TT

6 PL

6 KR

4 TH

4 SE

4 RO

4 PY

4 MG

4 KH

4 IR

4 GB

4 CR

4 CA

Top Attempted Credentials #

415 root xc3511

410 root vizxv

385 root admin

255 admin password

250 admin admin

240 root root

235 root 888888

215 root 123456

175 root default

170 root juantech

170 root 54321

165 support support

155 root xmhdipc

130 admin admin1234

125 guest guest

120 root Zte521

120 root 12345

115 root klv123

100 admin smcadmin

95 root anko

90 root GM8182

90 root 1234

90 root 1111

80 root pass

75 guest 12345

In those 7 hours this was running, I saw a total of 15785 connection attempts, a connection attempt every 1.8 seconds - on average.

I guess it’s best to close port 23 again, for good this time.

Hat tip to a former colleague of mine, security afficionado and all around great guy Per Thorsheim for letting me know about this tool.

Post last updated on January 2, 2024: Add author

About is the digital home of Christian Mohn and Stine Elise Larsen.

The primary focus is on IT architecture and data center technologies like virtualization and related topics, but other content also pops up from time to time.