Wednesday, 3 June 2026 πŸ’€ critical

Daily Threat Report

2,437 SSH Connections
2,319 Login Attempts
1820 Commands Run
144 SSH Unique IPs
13,893 Protocol Events
66 Protocol IPs
51 Web Hits
27 Web Service IPs

Top Attacker IPs

  1. 🌐 45.156.87.204 BGPβ†—
  2. 🌐 45.156.87.13 BGPβ†—
  3. 🌐 87.251.64.176 BGPβ†—
  4. 🌐 27.79.42.241 BGPβ†—
  5. 🌐 185.246.128.133 BGPβ†—

Top Passwords Tried

  1. 0
  2. 123456
  3. admin
  4. 123
  5. 1234

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 51 scanner requests from 27 unique IPs (local, offline).

Top Paths Probed

  1. /
  2. /SDK/webLanguage
  3. /zc?action=getInfo
  4. /favicon.ico
  5. /.well-known/traffic-advice

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Mozilla/5.0 (compatible
  5. Infrawatch/1.0
  6. +https://infrawat.ch/)
  7. Mozilla/5.0 (compatible
  8. CensysInspect/1.1
  9. +https://about.censys.io/)
  10. Mozilla/5.0 (Macintosh
  11. Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 30 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 30 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 30 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 30 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

admin
345gs5662d34
password
3245gs5662d34
abc123

πŸ’» Commands They Tried

/bin/./uname -s -v -n -r -m
cd ~ && rm -rf .ssh && mkdir .ssh && echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
uname
uname -a
uname -a ; echo vT

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 3 de June de 2026. Recorded 2437 SSH connections on the Cowrie honeypot and 13893 multi-protocol events on OpenCanary, from 210 unique IPs. 30 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 2319 login attempts from 144 unique IPs. Attackers executed 1820 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 13893 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 66 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 51 HTTP requests from real scanners across 27 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 860 alerts from 126 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’