What scanners are actually trying against AI infrastructure · HoneyLabs blog
Blog · 2026-05-28<br>What scanners are actually trying against AI infrastructure<br>Three weeks of one Dutch ASN sending 3,861 hits at Anthropic-proxy paths. Port 11434 (Ollama) holding 50-80 distinct source IPs per week since March. A single 45-minute sweep from one IP that lists credential paths for Claude, Codex, Gemini, DeepSeek, DashScope, AWS, Azure, Docker, and shell history.<br>What stood out
Between May 5 and May 27 a single Dutch ASN (Pfcloud UG, AS51396) sent 3,861 requests at two URL paths on our sensors:
/anthropic/v1/models 2,013 hits<br>/proxy/anthropic/v1/models 1,848 hits
Both of those paths are the shape that a reverse proxy in front of api.anthropic.com would expose. The scanner does not bother sending a Bearer token because it only cares whether the host responds at all, which is the cheap way to enumerate misconfigured proxies that hold a real Anthropic key and forward anything you send through them. Three source IPs participated, all sitting in the same /20 of Pfcloud's NL allocation, one of them (176.65.148.177) carrying the rDNS anondrop.net. Every single request used the user-agent Mozilla/5.0 (compatible; scanner/1.0). You can pull the cluster up at /asn/51396 and watch it continue.
Ollama at scale
Port 11434 is the loudest AI-flavoured target we see, mostly because the default Ollama install binds to 0.0.0.0 with no auth, and the wordlists have caught up. Over the last 30 days:
Probe path<br>Hits<br>Distinct IPs
/api/tags<br>129<br>31
/api/generate<br>13
/api/ps
/api/pull
/ (banner check on 11434)<br>248<br>120
no path, raw TCP probe on 11434<br>549<br>95
/api/tags is the discovery probe and returns the list of models loaded into the server with no authentication required. The one we keep an eye on is /api/pull, which on an open Ollama instance lets any caller ask the server to download an arbitrary model from any registry the server can reach, including a custom GGUF the attacker controls. Only one probe of that path landed in our window, but it is sitting in the wordlist now and the volume on the other endpoints suggests it will get exercised soon.
Weekly distinct source IPs hitting port 11434 over the last 14 weeks:
2026-02-22 5 IPs ▌<br>2026-03-01 72 █████████████████████<br>2026-03-08 85 █████████████████████████<br>2026-03-15 57 ████████████████<br>2026-03-22 69 ████████████████████<br>2026-03-29 57 ████████████████<br>2026-04-05 54 ███████████████<br>2026-04-12 69 ████████████████████<br>2026-04-19 44 █████████████<br>2026-04-26 52 ███████████████<br>2026-05-03 60 █████████████████<br>2026-05-10 67 ███████████████████<br>2026-05-17 35 ██████████<br>2026-05-24 27 ████████
Port 11434 went from a handful of probers a week in late February to a steady 50-80 distinct sources per week starting the first week of March 2026, and it has held in that band since. The recent dip in the last two weeks is at least partially an artefact of our snapshot ending mid-week. Either way, the port is now embedded in whatever rotation the broad-spectrum internet scanners are running.
A focused AI-credential sweep
The most interesting single actor in our 90-day window is 183.81.169.236, hosted on Amarutu Technology Ltd (NL). On May 18, between 09:27 and 10:12 UTC, that IP ran a 45-minute coordinated sweep across our sensors using one wordlist that hit every interesting credential-storage convention used by modern AI tooling. The AI-relevant subset of what they tried:
/.claude/settings.json<br>/.claude/.credentials.json<br>/.claude/credentials.json<br>/.claude/config.json<br>/.claude/settings.local.json<br>/.claude/history.jsonl<br>/.claude/claude.md<br>/.claude.json<br>/root/.claude/.credentials.json<br>/root/.claude/claude.md<br>/root/.claude.json<br>/.anthropic/api_key<br>/.anthropic/config.json<br>/.config/anthropic/config.json<br>/claude_desktop_config.json<br>/.codex/auth.json<br>/.gemini/settings.json<br>/.deepseek/config.json<br>/.dashscope/api_key<br>/.openclaw/openclaw.json<br>/root/.nerve/.env<br>/root/.nerve/config.yaml<br>/root/.openclaw/.env
The coverage there spans Anthropic's first-party tooling (Claude Code, Claude Desktop, the Anthropic SDK conventions), OpenAI's Codex CLI (.codex/auth.json), Google's Gemini CLI (.gemini/settings.json), DeepSeek (.deepseek/config.json), Alibaba's DashScope (.dashscope/api_key), and at least two AI agent frameworks I had to look up (nerve and openclaw).
The same IP, in the same sweep, also went after the rest of the modern development environment:
/root/.aws/credentials<br>/root/.aws/config<br>/root/.aws/credentials.backup<br>/root/.aws/sso/cache/<br>/.aws/credentials<br>/.azure/credentials<br>/.docker/config.json<br>/docker-compose.yaml<br>/root/.ssh/id_rsa<br>/.ssh/known_hosts<br>/root/.bash_history<br>/root/.zsh_history<br>/root/.wallet-env<br>/credentials.json<br>/.credentials.json<br>/.env.development<br>/actuator/configprops<br>/instance/app.sqlite
What this tells you is the practical shape of opportunistic credential hunting in 2026. AI-provider API keys now sit in the wordlist alongside AWS, Azure, Docker, SSH, and shell history,...