Tuesday, 26 May 2026 πŸ’€ critical

Daily Threat Report

450 SSH Connections
590 Login Attempts
15 Commands Run
69 SSH Unique IPs
32,615 Protocol Events
49 Protocol IPs
47 Web Hits
30 Web Service IPs

Top Attacker IPs

  1. 🌐 87.251.64.176 BGPβ†—
  2. 🌐 116.110.6.117 BGPβ†—
  3. 🌐 116.110.13.192 BGPβ†—
  4. 🌐 2.57.121.25 BGPβ†—
  5. 🌐 2.57.121.112 BGPβ†—

Top Passwords Tried

  1. admin
  2. 1234
  3. 123456
  4. ubuntu
  5. P

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 47 scanner requests from 30 unique IPs (local, offline).

Top Paths Probed

  1. /
  2. /favicon.ico
  3. /.well-known/traffic-advice
  4. /wiki
  5. /robots.txt

Top User-Agents

  1. Mozilla/5.0 (compatible
  2. CensysInspect/1.1
  3. +https://about.censys.io/)
  4. Go-http-client/1.1
  5. Chrome Privacy Preserving Prefetch Proxy
  6. Mozilla/5.0 zgrab/0.x
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 35 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 35 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 35 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 35 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

admin
ubuntu
abc123
password
\xef\xbb\xbf------fuck------

πŸ’» Commands They Tried

uname -a
uname -s -m
unset HISTFILE; uname -a; history -c

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 26 de May de 2026. Recorded 450 SSH connections on the Cowrie honeypot and 32615 multi-protocol events on OpenCanary, from 118 unique IPs. 35 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 590 login attempts from 69 unique IPs. Attackers executed 15 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 32615 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 49 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 47 HTTP requests from real scanners across 30 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 13700 alerts from 470 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’