Tuesday, 12 May 2026 πŸ’€ critical

Daily Threat Report

956 SSH Connections
909 Login Attempts
166 Commands Run
38 SSH Unique IPs
3,717 Protocol Events
14 Protocol IPs
87 Web Hits
25 Web Service IPs

Top Attacker IPs

  1. 🌐 176.65.132.17 BGPβ†—
  2. 🌐 27.79.5.123 BGPβ†—
  3. 🌐 27.79.44.21 BGPβ†—
  4. 🌐 193.32.162.145 BGPβ†—
  5. 🌐 87.251.64.176 BGPβ†—

Top Passwords Tried

  1. 123456
  2. admin
  3. 123
  4. password
  5. 1234

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 87 scanner requests from 25 unique IPs (local, offline).

Top Paths Probed

  1. /
  2. /login
  3. /og-default.png
  4. /sitemap.xml
  5. 185.65.245.140:7227

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Go-http-client/1.1
  5. Mozilla/5.0
  6. Mozilla/5.0 (compatible
  7. CensysInspect/1.1
  8. +https://about.censys.io/)
  9. Python/3.9 python-socks/2.0.3
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 1 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 1 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 1 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 1 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

admin
password
abc123
1qaz@WSX
admin123

πŸ’» Commands They Tried

/bin/./uname -s -v -n -r -m
uname -s -v -n -r -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 13 de May de 2026. Recorded 956 SSH connections on the Cowrie honeypot and 3717 multi-protocol events on OpenCanary, from 52 unique IPs. 1 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 909 login attempts from 38 unique IPs. Attackers executed 166 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 3717 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 14 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 87 HTTP requests from real scanners across 25 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’