Thursday, 28 May 2026 πŸ’€ critical

Daily Threat Report

1,926 SSH Connections
1,823 Login Attempts
317 Commands Run
61 SSH Unique IPs
18,772 Protocol Events
28 Protocol IPs
80 Web Hits
25 Web Service IPs

Top Attacker IPs

  1. 🌐 45.156.87.253 BGPβ†—
  2. 🌐 192.109.200.220 BGPβ†—
  3. 🌐 27.79.1.116 BGPβ†—
  4. 🌐 171.243.148.230 BGPβ†—
  5. 🌐 103.228.36.205 BGPβ†—

Top Passwords Tried

  1. 123456
  2. 123
  3. 1234
  4. 1
  5. root

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 80 scanner requests from 25 unique IPs (local, offline).

Top Paths Probed

  1. /SDK/webLanguage
  2. /
  3. /favicon.ico
  4. /status/414
  5. /boaform/admin/formLogin?username=ec8&psd=ec8

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
  5. visionheight.com/scan Mozilla/5.0 (Macintosh
  6. Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
  7. Mozilla/5.0 (X11
  8. Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.3
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 26 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 26 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 26 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 26 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

password
admin
abc123
qwerty
1qaz@WSX

πŸ’» Commands They Tried

uname -s -m
uname -s -v -n -r -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 28 de May de 2026. Recorded 1926 SSH connections on the Cowrie honeypot and 18772 multi-protocol events on OpenCanary, from 89 unique IPs. 26 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 1823 login attempts from 61 unique IPs. Attackers executed 317 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 18772 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 28 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 80 HTTP requests from real scanners across 25 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 16107 alerts from 578 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’