Tuesday, 19 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 19, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 115 unique attackers ⚡ 50,429 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

Today’s findings in our Raspberry Pi honeypots highlight a high level of activity and engagement from attackers across multiple platforms. The SSH honeypot saw over 2501 connections and more than 2357 login attempts, with users executing approximately 65 unique commands, indicating robust defenses against attempted intrusions.

The Multi-Protocol honeypot registered nearly 48 thousand events involving various protocols such as FTP, Telnet, MySQL, Redis, VNC, and Git. This suggests a wide-ranging approach by attackers looking for potential vulnerabilities in diverse systems. The HTTP LLM honeypot witnessed just over 17 requests, indicating minimal activity there.

On the tarpit front, no specific attack patterns were noted due to inactive rules on ports 222/2200/8022/22222. This suggests that our active defense mechanisms are effectively blocking potential treads from attacking these identified paths.

The severity level is rated as critical, emphasizing the importance of continuous monitoring and proactive measures against advanced threats.

Geographic Analysis

From the GeoIP data, we observe a diverse range of attack origins across several countries:

  • United States: 44 (33%)
  • Belgium: 17 (13%)
  • China: 12 (9%)
  • Unknown: 11 (8%)
  • Netherlands: 7 (5%)
  • Germany: 6 (4%)
  • Russian Federation: 4 (3%)
  • Hong Kong: 4 (3%)
  • Vietnam: 3 (2%)
  • Romania: 3 (2%)

This distribution underscores the international nature of cyber threats, highlighting the importance of a global approach in cybersecurity efforts.

SSH Brute Force Analysis

The SSH honeypot data reveals that attackers primarily use common passwords like “123456”, “admin”, “123”, and “password”. This indicates that brute force attacks continue to be a significant threat, with users frequently trying these easy-to-guess credentials.

Post-Exploitation Behavior

The TTY sessions logged show attackers attempting multiple commands after successful logins. They were probing systems for vulnerabilities by scanning paths such as “/index.php?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input”, “/sitemap.xml”, and others, suggesting a thorough effort to understand the system’s structure before exploiting any discovered vulnerabilities.

Web Scanner Activity

The HTTP LLM honeypot data indicates attackers are primarily scanning well-known paths. The common requests include “/index.php?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input”, “/sitemap.xml”, and “/f6t6fhf09pge”, pointing to a focus on known vulnerabilities and security misconfigurations.

Malware Captures

No malware samples were captured today, indicating that our honeypot is effective at detecting and isolating malicious activities. This is reassuring but further emphasizes the need for continuous monitoring and updating of defense strategies against new threats.

SSH Tarpit (Endlessh)

Since the tarpit rules are inactive on ports 222/2200/8022/22222, there were no attackers trapped or time wasted. This suggests our current active defenses are sufficiently effective in preventing these types of attacks.

Canarytoken Alerts

The data shows 42 successful attempts to trigger fake AWS keys and SSH keys using various user-agents, indicating the effectiveness of our honeypot’s capability to detect and neutralize simulated threats by attackers trying to bypass security measures.

Community Defense

All IPs reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. Malware hashes submitted to VirusTotal have been analyzed and shared for further investigation and mitigation strategies against real threats.

Rules Recap

  • SSH honeypot: Active
  • Multi-protocol honeypot: High volume of events
  • HTTP LLM honeypot: Low traffic but valuable scanning patterns
  • TTY sessions: Command enumeration attempts, indicating low interest in actual exploitation.
  • Malware captures: No malware detected today.
  • Tarpit rules: Inactive on these ports
  • Canarytoken alerts: Successful simulated threats neutralized.

Conclusion

Our Raspberry Pi honeypot continues to demonstrate its effectiveness as a deterrent against cyber attacks. By continuously monitoring and updating our defenses, we are able to identify and isolate potential threats early, reducing the risk of exploitation. This ongoing vigilance is crucial in maintaining a secure environment for both internal networks and external users.

Honeypot Infra

Our honeypot infrastructure consists of three Raspberry Pi 5s deployed across Spain, each serving as separate but interconnected systems designed to simulate diverse network scenarios to test security measures and gather intelligence on cyber threats.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →