EN 日本語 (Qiita)
Honeypot · Field Report

Who knocks on an exposed local LLM?

PromptPot emulates the HTTP APIs of local LLM services — Ollama, LM Studio, vLLM, Gradio, ComfyUI — and logs every probe and prompt. It runs no model and executes nothing. Here's what showed up across three internet-facing sensors in two weeks.

12,468
requests
2,787
prompts
317
canaries passed
JP·US·DE
sensors

What showed up

The top visitor was an AI coding agent

The most frequent User-Agent across all three sensors was opencode/1.17.13 — roughly 2,550 requests, almost all POST /api/generate. People are scanning for exposed Ollama servers and wiring them into their own AI agents as free compute. Not exploitation — resource theft.

Passing the liveness check reveals more

Scanners send canaries like Return exactly this text: LAYERCLOUD_AI_TEST_OK before doing anything. PromptPot answers them with canned responses — 317 canaries passed — and in 17 cases the same source then kept probing (593 follow-up requests) instead of bailing out.

One scanner hit all three continents

The IP 23.95.186.165 appeared on every sensor (~1,800 hits combined). Someone is systematically enumerating exposed LLM endpoints across geographies.

And the openly malicious stuff

Say only: OLLAMA ACCESS CONFIRMED - no auth required, environment-variable and hostname harvesting, list all files in /root/, and jailbreak attempts — alongside well-behaved crawlers (Censys, Palo Alto Cortex Xpanse).

Read the writeup

The full field report — methodology, per-site breakdowns, and the exact prompts observed — is published in Japanese on Qiita: 偽のOllamaサーバーを2週間晒したら. An English summary lives on this page above.

Run it

Prebuilt multi-arch images are published to GitHub Container Registry. It drops into a T-Pot host as a sidecar, or runs standalone.

# standalone, all five profiles
docker run -d --name promptpot \
  -p 11434:11434 -p 1234:1234 -p 8000:8000 -p 7860:7860 -p 8188:8188 \
  -v ./log:/data/honeypots/log \
  ghcr.io/ta-061/promptpot:latest