You are reading this page as we have detected unauthorized access to our monitoring system (honeypot) and we believe it is related to you.
This is a part of research experiment for effective notification. It would be great if you could help our study by answering the following questions.
With the increase of devices connected to the Internet, the threats caused by cyberattacks are increasing. Besides observation and analysis of these attacks, notification to the affected users is becoming increasingly important. The most common way to identify the contact point for notification is using WHOIS, a service that allows any Internet user to view information about the domain registrant or the organization to whom an IP address is assigned. However, direct contact points may be hidden from the viewpoint of privacy or simply the data is outdated. In this research, we investigate how to enrich contact information for given IP addresses to be notified.
We try to notify relevant parties of the IP addresses that our honeypot detected unauthorized access from.
We obtain contact points in the following 5 ways.
We search the target IP address in the WHOIS database and obtain contact Email addresses.
We access "http://<Target IP address>/" and contact page of the website with Google Chrome automatically, and extract Email addresses and links to social media account from these pages. Also we use web contact forms if it's included in contact page.
We obtain domains that correspond to the observed IP address from passive DNS Database (https://www.dnsdb.info/), and use the domains as the target of notification.
We search the domain in the WHOIS database and obtain contact Email addresses.
We access "http://<Host Name including Target Domain>/" and contact page of the website with Google Chrome automatically, and extract Email addresses and links to social media account from these pages. Also we use web contact forms if it's included in contact page.
We search the domain in the Email address database (https://hunter.io/search) and obtain corresponding Email addresses.
To evaluate the effectiveness of the security notification, we
send notification message to these contact points from following contacts:
We notify the relevant parties of the IP addresses that attempted to login to our honeypot several times. We understand that some of you may have scanned our honeypot for no intrusive purposes, but the honeypot treated the scan as login attempt. If you are not aware of the access to us, your host may be infected with malware. We can provide more information upon request. Thank you for your cooperation.