Friday, 17 April 2026 🟠 medium 🤖 antigravity

Honeypot Threat Analysis — April 17, 2026

Medium-severity day with 351 SSH connections from 70 IPs. A brief respite in the storm of automated scanning.

🌍 70 unique attackers ⚡ 351 events 📊 View raw data report →
ssh-brute-forcehoneypotthreat-intelligence

Threat Landscape Overview

A relatively quiet day — 351 SSH connections from 70 unique IPs with only 18 commands executed. After the critical spike on April 15, activity has settled back to medium levels. The attacker diversity (70 IPs) remains high despite lower volume.

SSH Brute Force Analysis

313 login attempts with the usual suspects in the password dictionary: admin, solana, 123456, ubuntu, 123. The ubuntu password reappearing suggests targeted scans for default Ubuntu server installations.

Persistent scanner 80.66.66.10 continues its daily visits, joined by two IPs from the 92.118.39.x range (92.118.39.56 and 92.118.39.95), suggesting a coordinated scanning operation from that subnet. IP 45.148.10.121 is a new addition from a known bulletproof hosting range.

The low command count (18) relative to login attempts (313) indicates most attackers today are purely credential-testing without follow-up exploitation. This pattern is typical of botnet operators building credential databases rather than seeking immediate access.

Community Defense

All attacker IPs and credentials shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →