recently I looked in some honeypot results – ending in finding of the URL
http://185.62.190.222/r1
(Warning: without the /r1 you are forced into a fake Adobe update).
Looking around further I found (besides some scanner-tools, code..) two files stage1 and stage2 under the subdir /r4 , containing about 7000 username:password:ip-address combinations. And yes, I found some of my honeypot addresses in there 🙂 Though I am pretty sure that most of the addresses will be honeypots I will try to send out mails to the appropriate abuse-contacts; maybe some of them are for real.