Earlier today I was prompted to use a CAPTCHA—because of suspicious search activity—when doing a Google search, So I assumed either a PC on my network had a virus or something.
After poking around I noticed—from my router logs—that there were tons of connections to my Raspberry Pi that I had set up as a web server—port forwarded to 80 and 22—so I pulled the card, turned off that port forward and re-imaged it this time as a “honey pot” and the results are very interesting
The honey pot is reporting that there are successful attempts to log in with the username/pass combination pi
/raspberry
, and logs the IP’s —these are coming in almost every second—and some of the IP’s when I investigate are supposed to be Google’s IP.
So I don’t know, are they doing, if it is supposed “white hat” stuff, or whatever. It seems like that is an illegal intrusion. They aren’t doing anything after they log in.
Here is an example IP address: 23.236.57.199