Wednesday, 20 May 2026 πŸ’€ critical

Daily Threat Report

638 SSH Connections
553 Login Attempts
2 Commands Run
65 SSH Unique IPs
36,083 Protocol Events
28 Protocol IPs
50 Web Hits
26 Web Service IPs

Top Attacker IPs

  1. 🌐 27.79.47.215 BGPβ†—
  2. 🌐 87.251.64.176 BGPβ†—
  3. 🌐 171.231.176.168 BGPβ†—
  4. 🌐 213.209.159.158 BGPβ†—
  5. 🌐 171.231.199.219 BGPβ†—

Top Passwords Tried

  1. admin
  2. 123456
  3. 1234
  4. P
  5. password

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 50 scanner requests from 26 unique IPs (local, offline).

Top Paths Probed

  1. /
  2. /favicon.ico
  3. /sitemap.xml
  4. /zc?action=getInfo
  5. 185.65.245.10:7227

Top User-Agents

  1. Mozilla/5.0 (compatible
  2. CensysInspect/1.1
  3. +https://about.censys.io/)
  4. Mozilla/5.0 (Macintosh
  5. Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
  6. Mozilla/5.0 (compatible
  7. Infrawatch/1.0
  8. +https://infrawat.ch/)
  9. Python/3.9 python-socks/2.0.3
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 42 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 42 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 42 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 42 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

admin
password
ubuntu
abc123
admin123

πŸ’» Commands They Tried

uname -s -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 20 de May de 2026. Recorded 638 SSH connections on the Cowrie honeypot and 36083 multi-protocol events on OpenCanary, from 93 unique IPs. 42 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 553 login attempts from 65 unique IPs. Attackers executed 2 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 36083 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 28 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 50 HTTP requests from real scanners across 26 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 11263 alerts from 447 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’