Honeypot Threat Analysis — April 28, 2026
CRITICAL — 7,919 OpenCanary events in one day, the largest multi-protocol attack ever recorded. 1,926 SSH connections with 326 commands.
Threat Landscape Overview
Critical alert. The most intense attack day since deployment: 9,845 total events — nearly 10x the daily average. OpenCanary recorded an unprecedented 7,919 multi-protocol events from 28 IPs, while Cowrie captured 1,926 SSH connections with 326 post-auth commands from 75 IPs.
SSH Brute Force Analysis
2,278 login attempts with 326 commands executed inside the honeypot shell. The password dictionary was heavily weighted toward: 123456, admin, 123, password, 1234. Post-auth activity focused on uname -s -v -n -r -m — full system fingerprinting.
Top attacker 176.65.132.129 led an aggressive SSH campaign. 45.156.87.99 from a known bulletproof hosting provider joined, along with the persistent 87.251.64.176. Vietnamese IPs 27.79.0.43 and 27.79.41.222 continued their botnet operations.
Multi-Protocol Storm
The 7,919 OpenCanary events represent an order-of-magnitude increase. A small number of IPs (28) generated massive event volume, indicating automated tools rapidly cycling through FTP, Telnet, MySQL, Redis, VNC, and Git protocols. This pattern is consistent with an aggressive network scanner performing full-spectrum reconnaissance.
Notable Trends
The concentration of 7,919 events from only 28 IPs means an average of 283 events per attacker — far above normal. This suggests a few dedicated scanners performing exhaustive protocol sweeps rather than distributed botnet activity. Galah was offline for maintenance (0 requests).
Community Defense
Reporting pipeline was being reconfigured during the event. All captured IOCs retroactively shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.