Honeypot Threat Analysis — April 27, 2026
172 IPs reported to AbuseIPDB. High-severity day with 784 SSH connections, 362 OpenCanary events, and Git config scanning detected.
Threat Landscape Overview
172 IPs reported to AbuseIPDB — nearly double yesterday’s reports. Attack volume climbed back to high severity: 784 SSH connections (77 IPs), 362 OpenCanary events (24 IPs), and 106 Galah web requests (51 IPs).
SSH Brute Force Analysis
1,112 login attempts — significantly more than the 784 connections, indicating multi-round authentication attacks within single sessions. Password staples: admin, 123456, 1234, password, 12345678.
Vietnamese cluster active: 171.243.148.80, 116.110.11.33, 116.110.5.114. Persistent scanner 87.251.64.176 continues daily operations. The 1q2w3e4r password appeared — a keyboard-walk pattern that looks complex but is trivially guessable.
Funny password: 696969 — attackers bringing humor to their brute force campaigns. Also spotted: 123321z and 1234567890-=.
Web Scanner Activity
106 Galah requests from 51 IPs — the highest web attacker diversity yet. Key paths: /sitemap.xml, /.git/config, /zc?action=getInfo. The persistent scanning of /.git/config indicates attackers systematically hunting for exposed source code repositories across the internet.
Multiple scanner signatures detected: Infrawatch, CensysInspect, Umai-Scanner, and various Chrome/Edge spoofed user agents.
Community Defense
172 IPs reported — automated reporting is scaling effectively. All data shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.