Compromised MikroTik Routers Used as Proxy Nodes — Caught Using My Honeypot to Check Their Own IP
Overview On April 2, 2026, my Cowrie SSH honeypot logged an unusual pattern — two source IPs attempting to use the honeypot as a proxy to reach ip-who.com, a service that returns the caller’s external IP address in JSON format. This is not attack behavior. This is operational security behavior — a compromised node checking what IP address it appears to be using. Investigation revealed both IPs are compromised MikroTik routers on Vietnamese residential ISP infrastructure. A third IP from the same session window — a Dutch scanner with 116,618 AbuseIPDB reports — attempted to tunnel to Cloudflare’s TURN server infrastructure, suggesting a separate actor testing WebRTC-based connectivity through the honeypot. ...