[ambiate]

Its interesting how many HN users seem to be missing the point of a honeypot. He set this up deliberately to understand the frequency/types of attacks on a random machine on the internet.

From my past experience, most of those CN computers are actually US zero day'd/patched running root kits/worms. It just happens to be that CN computers are more likely to be unpatched/running ancient software.

[noobermin]

>From my past experience

I'm curious how you know this for sure.

[ambiate]

I plead the fifth. CFAA/RICO/Patriot Act.

My hint would be: before decentralized worms, there were IRC hubs. The 'owners' would typically use their native language for the various commands (I know English is used in more than the US, but..). Most of the time, they wouldn't even hide their host name on the IRC server.

I guess from a 'being legal' POV: anyone could infect themselves with the same root kit that's on a honeypot and find out quite a bit about the organizers.

[Godel_unicode]

Or just read any botnet takedown report, this is exactly what botnets do. Why bother looking for 0day when root:toor or cisco:cisco works?

[rando289]

what is a CN computer?

[alanh]

CN = china. So, computers based in china, although I am at a loss as to what the thread parent is saying exactly about "CN computers actually being US". Same with "zero day'd/patched" — aren’t those opposite notions?

[tlrobinson]

It's a little unclear, but if I were to guess I'd say they meant the machines are located in China but have been zero day'd, then patched and root-kitted by the attacker, who was in the US (or at least not China)