Honeypot Threat Analysis — May 25, 2026
Critical threat level — massive coordinated attack activity across all honeypot services.
Threat Landscape Overview
In today’s data snapshot, the SSH honeypot saw a steady stream of activity and success. With 2559 connections, 2540 login attempts, and 965 commands executed from 228 unique IPs, the system is effectively detecting various types of attack vectors, including brute force attempts and post-login activities.
The Multi-Protocol Honeypot also reported 40,850 events, with 57 IP addresses across different protocols. The HTTP LLM honeypot showed a low volume of activity but still managed to intercept 38 unique IPs, demonstrating the system’s ability to monitor various web traffic patterns.
The SSH tarpit on ports 222/2200/8022/22222 did not experience any tarpit data, indicating that the honeypot is effective in preventing real-time attacks from being tarpitted.
Geographic Analysis
Examining the GeoIP data reveals a high volume of activity originating primarily from China (58%), United States (29%), France (22%), India (13%), Germany (11%), Hong Kong (9%), Belgium (9%), United Kingdom (8%), Vietnam (7%), and Unknown regions (7%). The pattern suggests that the honeypot system is effectively targeting a diverse range of attackers, making it more resilient against targeted attacks.
SSH Brute Force Analysis
The most common passwords tried were “345gs5662d34”, “3245gs5662d34”, and “admin”. The login attempts were executed by 965 unique IPs, emphasizing the need for strong authentication measures.
Post-Exploitation Behavior
In analyzing sessions with TTY access, we observed 31 successful logins. Attackers often look for sensitive information or tools that can be used to escalate privileges further on their targets. The post-login activities indicate a consistent pattern of attackers seeking out critical system files and configurations, which is crucial for any security monitoring system.
Web Scanner Activity
The HTTP paths scanned include ”/”, “/favicon.ico”, “/SDK/webLanguage”, “/wiki”, and “/v2/_catalog”. This activity indicates that the honeypot system is detecting common patterns in web scanning behaviors, such as looking for specific directories or files that could be valuable on a compromised host.
Malware Captures
Today’s data did not reveal any malware samples being downloaded via SSH. However, it’s important to note that the honeypot has been successful in capturing real-world attackers using fake AWS keys and SSH keys planted within the system. This highlights the effectiveness of the honeypot in simulating realistic attack scenarios.
SSH Tarpit (Endlessh)
No tarpit data were observed for any attacker, suggesting that the honeypot is not being utilized as a defense mechanism against active attackers trying to take down the network.
Canarytoken Alerts
The system recorded 57 attempts where attackers used fake AWS keys and SSH keys. The details include multiple instances of these tokens being intercepted from various IP addresses, indicating a persistent threat pattern using compromised credentials within the honeypot environment.
Community Defense
All IPs reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield are essential for maintaining public safety against malicious activity. The system’s shared list of IPs is crucial in alerting security teams about potential threats that might otherwise be overlooked or ignored by other systems.
This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.