Saturday, 30 May 2026 πŸ’€ critical

Daily Threat Report

1,349 SSH Connections
1,283 Login Attempts
188 Commands Run
63 SSH Unique IPs
4,699 Protocol Events
5 Protocol IPs
97 Web Hits
35 Web Service IPs

Top Attacker IPs

  1. 🌐 45.156.87.253 BGPβ†—
  2. 🌐 87.251.64.176 BGPβ†—
  3. 🌐 27.79.6.170 BGPβ†—
  4. 🌐 27.79.3.251 BGPβ†—
  5. 🌐 27.79.47.53 BGPβ†—

Top Passwords Tried

  1. admin
  2. 123456
  3. 123
  4. 1234
  5. 1

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 97 scanner requests from 35 unique IPs (local, offline).

Top Paths Probed

  1. /SDK/webLanguage
  2. /
  3. /zc?action=getInfo
  4. /favicon.ico
  5. /.well-known/security.txt

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Mozilla/5.0 (compatible
  5. CensysInspect/1.1
  6. +https://about.censys.io/)
  7. Mozilla/5.0 (compatible
  8. Infrawatch/1.0
  9. +https://infrawat.ch/)
  10. Mozilla/5.0 (Macintosh
  11. Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
  12. Mozilla/5.0 (Macintosh
  13. Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 25 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 25 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 25 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 25 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

admin
password
abc123
ubuntu
qwerty

πŸ’» Commands They Tried

echo SSHCHK_60d0f906918c_BEGIN; uname -srm; echo $((7*191+3)); hostname; df -P / 2>/dev/null | awk NR==2{print $1}; echo SSHCHK_60d0f906918c_END
uname -a
uname -a ; echo vT
uname -s -m
uname -s -v -n -r -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 30 de May de 2026. Recorded 1349 SSH connections on the Cowrie honeypot and 4699 multi-protocol events on OpenCanary, from 68 unique IPs. 25 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 1283 login attempts from 63 unique IPs. Attackers executed 188 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 4699 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 5 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 97 HTTP requests from real scanners across 35 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 21558 alerts from 573 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’