This map visualizes the geographic origins of unauthorized access attempts against the kather.ai research infrastructure. All attacks shown were successfully blocked.
SSH brute-force attempts are extracted from auth.log (failed password and
invalid user entries). Web vulnerability scans are identified from nginx access logs
by filtering for known exploit paths, automated scanner signatures, and anomalous request patterns.
IP addresses are mapped to approximate geographic coordinates using the MaxMind GeoLite2 database. Locations represent the ISP or data center, not necessarily the true attacker origin—many IPs belong to cloud providers and VPN services.
Each dot represents one unique IP address. Repeat offenders are counted once. IPs appearing in both SSH and web logs are shown in amber. Country and ISP statistics are aggregated from the deduplicated IP list.
Research project by Kather Lab, TU Dresden.