Honeypot Threat Analysis — June 3, 2026
Critical threat level — massive coordinated attack activity across all honeypot services.
Threat Landscape Overview
Today’s SSH honeypot (Cowrie) experienced a high volume of activity: 2437 connections and 2319 login attempts. The system also saw 1820 commands being executed, with unique IP addresses involved in all transactions. This underscores the effectiveness of our honeypot network, which continues to provide valuable insights into cyber threats.
Geographic Analysis
The geographic distribution reveals a mix of attackers from various countries, highlighting diverse attack vectors. Here’s a breakdown:
- China: 36% (80 IP addresses)
- United States: 14%
- Germany: 11%
- Belgium: 8%
- Netherlands: 5%
- Unknown: 5%
- Brazil: 4%
- Sweden: 2%
- France: 2%
The high proportion of Chinese IPs indicates a significant threat from this region. This underscores the importance of vigilance and global cybersecurity efforts.
SSH Brute Force Analysis
The attackers have been utilizing brute force methods to gain initial access, with passwords like “0”, “123456”, and “admin”. They are also escalating their attacks by executing commands such as uname -s -v -n -r -m to gather OS information.
Post-Exploitation Behavior
During the TTY sessions, attackers have been actively probing the system. Here’s a detailed breakdown of their activities:
1592x: uname -s -v -n -r -m 66x: /bin/./uname -s -v -n -r -m 36x: cd ~; chattr -ia .ssh; lockr -ia .ssh 36x: cd ~ TTY_PHTTY_PH rm -rf .ssh TTY_PHTTY_PH mkdir .ssh TTY_PHTTY_PH echo “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAr” 13x: uname -a ; echo ‘vT’ 2x: uname -a 2x: scp -t /tmp/iymvBvxY 1x: /ip cloud print 1x: ifconfig 1x: cat /proc/cpuinfo 1x: ps grep ‘[Mm]iner’ 1x: ps -ef grep ‘[Mm]iner’ 1x: ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop 1x: locate D877F783D5D3EF8Cs 1x: echo Hi cat -n
They seem to be exploring the system, looking for specific configurations and services that could be exploited. The commands indicate a keen interest in identifying vulnerabilities within the SSH server configuration.
Web Scanner Activity
The HTTP LLM honeypot (Galah + qwen AI) has been active with 51 requests and 27 unique IPs involved in these transactions. This suggests attackers are scanning for vulnerabilities on web servers, including FTP/Telnet/MySQL/Redis/VNC/Git services.
Malware Captures
Today’s threat landscape did not reveal any malware samples being downloaded via the SSH tarpit or other methods. The honeypot remains vigilant and resilient against attempted infections.
SSH Tarpit (Endlessh)
The tarpit was inactive on today’s operations, meaning no attackers were trapped in a simulated environment for extended periods. This indicates that our active defense measures are effective and resourceful, preventing potential threats from exploiting the honeypot system.
Canarytoken Alerts
Interestingly, 80 fake AWS keys/SSH keys have been triggered by attackers during their attempts to brute force access. These triggers provide a valuable insight into the methods used by hackers and help in enhancing our security measures against such attacks.
Community Defense
All IPs reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield are shared openly within the community for others to learn from and improve their own defenses. The honeypot’s success is a testament to open-source cybersecurity practices that can be utilized globally.
This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.