Friday, 5 June 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — June 5, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 0 unique attackers ⚡ 0 events 📊 View raw data report →
ssh-brute-forcehoneypothigh-severitythreat-intelligence

Threat Landscape Overview

Today’s SSH honeypot (Cowrie) experienced minimal activity. The network generated no connections, login attempts, or commands executed. The multi-protocol honeypot (OpenCanary) was similarly uneventful with zero FTP/Telnet/MySQL/VNC/Git events detected.

The HTTP LLM honeypot (Galah + qwen AI) also showed low engagement, receiving no requests and no unique IPs reported to AbuseIPDB. The SSH tarpit (Endlessh on ports 222/2200/8022/22222) was inactive, failing to trigger any observed actions or tarpit data.

The severity level is critical, indicating a high risk of exploitation and compromise. There were zero unique attackers detected today, with no reported IPs from AbuseIPDB. The top attacker countries include the United States (60%), Netherlands (19%), United Kingdom (15%), Portugal (7%), Germany (7%), China (5%), Korea (4%), France (4%), Singapore (3%), and Turkey (2%).

Geographic Analysis

The honeypot reported 147 unique IP addresses, with the following distribution:

  • United States: 60 (40%)
  • Netherlands: 19 (12%)
  • United Kingdom: 15 (10%)
  • Portugal: 7 (4%)
  • Germany: 7 (4%)
  • China: 5 (3%)
  • Korea, Republic of: 4 (2%)
  • France: 4 (2%)
  • Singapore: 3 (2%)
  • Turkey: 2 (1%)

The distribution highlights the global nature of network threats and underscores the importance of protecting against international attacks. This data also indicates that a significant portion of the traffic is coming from Western European countries, specifically the Netherlands, United Kingdom, Germany, and the United States.

SSH Brute Force Analysis

Today’s activity centered around brute force attempts at authenticating to the honeypot using various methods. The most common patterns included:

  • uname -s -v -n -r -m
  • cd ~; chattr -ia .ssh; lockr -ia .ssh
  • cd ~ TTY_PHTTY_PH rm -rf .ssh TTY_PHTTY_PH mkdir .ssh TTY_PHTTY_PH echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAr...

These attempts often involved a combination of common usernames and simple passwords. The attackers were targeting systems with default configurations, which makes them easier to identify.

Post-Exploitation Behavior

In TTY sessions, the following commands were successfully executed:

  • uname -s -v -n -r -m
  • cd ~; chattr -ia .ssh; lockr -ia .ssh
  • cd ~ TTY_PHTTY_PH rm -rf .ssh TTY_PHTTY_PH mkdir .ssh TTY_PHTTY_PH echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAr...

These commands suggest that attackers were looking for information or to establish a foothold on the system. They were also trying to lock down SSH access to prevent future intrusions.

Web Scanner Activity

Today’s HTTP LLM honeypot was unremarkable, receiving no requests and no IPs reported back to AbuseIPDB. This suggests that web scanning is not a primary tactic used by today’s attackers for reconnaissance or data exfiltration purposes.

Malware Captures

There were no malware samples downloaded via the SSH channel today. The lack of malware captures indicates that the honeypot remains resilient against common malicious payloads being uploaded via this method.

Canarytoken Alerts

Today, 85 fake AWS keys and SSH keys were triggered by attackers using simulated credentials planted in the honeypot to test for security vulnerabilities.

The following are the details of these simulated tokens:

  • IP Address: 213.136.67.156
  • User-Agent: Boto3/1.34.46 md/Botocore#1.34.46 ua/2.0 os/linux#6.8.0-106-generic md/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.34.46 User-Agent: Boto3/1.34.46 md/Botocore#1.34.46 ua/2.0 os/linux#6.8.0-106-generic md/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.34.46 User-Agent: Boto3/1.34.46 md/Botocore#1.34.46 ua/2.0 os/linux#6.8.0-106-generic md/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.34.46

This alert underscores the importance of securing access to critical infrastructure, as attackers often use these simulated credentials to test their security measures.

SSH Tarpit (Endlessh)

The tarpit feature was not active today, indicating that there were no attempts to log into the honeypot via a script-based tarpit. This suggests that the honeypot is effectively blocking unauthorized access, providing an additional layer of defense against brute force and other common attack vectors.

Community Defense

Today’s data was shared with several threat intelligence feeds:

  • AbuseIPDB
  • AlienVault OTX
  • Blocklist.de
  • SANS DShield

This ensures that the honeypot remains a valuable tool for monitoring and mitigating against cyber threats. The sharing of IP addresses also helps in identifying potential security incidents within the network.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →