Tuesday, 2 June 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — June 2, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 141 unique attackers ⚡ 17,319 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

Today’s activities indicate a high level of activity across multiple attack vectors targeting our Raspberry Pi 5 honeypot. The SSH honeypot experienced over 1,000 connections and nearly 70% were successful login attempts with numerous commands executed. This data underscores the effectiveness of our security measures in detecting and responding to cyber threats.

The Multi-Protocol Honeypot witnessed significant traffic with a total of 16,063 events across FTP/Telnet/MySQL/Redis/VNC/Git. The HTTP LLM honeypot generated around 80 requests and involved various HTTP paths scanned by attackers. However, the SSH Tarpit remained inactive without any tarpit data captured.

The severity level is critical, indicating a high risk to our security infrastructure. The total unique attackers identified today are approximately 141, with specific countries contributing significantly: United States (22%), China (16%), Belgium (16%), Germany (15%), Romania (7%), Netherlands (7%), Vietnam (5%), Taiwan (3%), and Sweden (3%).

Top attacker IPs include [“47.239.112.32”, “87.251.64.176”, “116.110.154.109”, “27.79.45.38”, “185.246.128.133”]. These IPs are predominantly from the United States, China, and Belgium.

Passwords tried by attackers include “0,” “admin,” “123456,” “1234,” and “ubuntu.” The HTTP paths scanned by attackers include “/SDK/webLanguage,” ”/”, “/favicon.ico,” “/sonicui/7/sslvpn-portal/”, and “/server.”

Geographic Analysis

The GeoIP data shows that the total number of unique IPs was 138, with notable contributions from the United States (22%), China (16%), Belgium (16%), Germany (15%), Romania (7%), Netherlands (7%), Vietnam (5%), Taiwan (3%), and Sweden (3%).

The distribution is not evenly spread; countries like the United States, China, and Belgium continue to be major contributors to our attack surface. This geographic analysis highlights the importance of having a global security strategy.

SSH Brute Force Analysis

SSH brute force attacks were relatively low compared to other protocols. The high number of login attempts indicates that attackers are targeting this honeypot as a resource for testing their capabilities or as part of broader campaigns. Successful logins include “caaan:canaan,” “root:admin,” “user:270485,” and “admin:paul1234.”

Post-authentication commands indicate that attackers may be looking to gain administrative privileges. The most common post-exploitation command is the uname -s -v -n -r -m, suggesting a desire for detailed system information.

Post-Exploitation Behavior

After gaining access via TTY sessions, attackers performed the following commands:

389x: uname -s -v -n -r -m 15x: /bin/./uname -s -v -n -r -m 6x: cd ~; chattr -ia .ssh; lockr -ia .ssh 6x: cd ~ TTY_PHTTY_PH rm -rf .ssh TTY_PHTTY_PH mkdir .ssh TTY_PHTTY_PH echo “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAr 3x: uname -s -m 2x: scp -t /tmp/V62vtXQH

These commands suggest that attackers are looking for specific system files or directories, likely to gain root access. They then attempt to change the attributes of sensitive files and create a temporary directory structure within their session.

Web Scanner Activity

The HTTP scanner activity indicates that attackers were attempting to scan our honeypot’s open ports and services. The paths “/SDK/webLanguage,” ”/”, “/favicon.ico,” “/sonicui/7/sslvpn-portal/”, and “/server” suggest an interest in web-based applications or services offered by the honeypot.

Malware Captures

Today, no malware samples were downloaded by any of our attackers. This absence is reassuring but underscores that we must continue to monitor for potential future threats.

SSH Tarpit (Endlessh)

The tarpit was inactive today without any data captured in the tarpit logs. This suggests a lack of activity from attackers using this tool, which could indicate either an unpatched or inactive vulnerability within our environment.

Canarytoken Alerts

Over 71 canarytoken triggers were detected by the honeypot, with multiple AWS token entries indicating that attackers used fake credentials to attempt access through common tools like Boto3. The details of these tokens point to a variety of IP addresses and user-agent strings:

  • AWS token from 175.29.7.17 - user-agent: Boto3/1.23.10 Python/3.6.8 Linux/4.18.0-305.10.2.el8_4.x86_64 Botocore/1.26.10
  • AWS token from 170.64.151.205 - user-agent: Boto3/1.26.153 Python/3.10.1 Windows/2012ServerR2 Botocore/1.29.153
  • AWS token from 170.64.151.205 - user-agent: Boto3/1.26.153 Python/3.10.1 Windows/2012ServerR2 Botocore/1.29.153
  • AWS token from unknown - user-agent:

These alerts highlight the effectiveness of our honeypot in detecting and responding to simulated attacks.

Community Defense

The total number of unique IPs reported to AbuseIPDB is 0, indicating that none of these attackers have been traced back to their real locations. The use of open-source tools like qwen AI for this analysis underscores the importance of community defense efforts such as those provided by platforms like AlienVault OTX and VirusTotal.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →