Honeypot Threat Analysis — May 3, 2026
Weekend attacks maintain critical levels — 1,985 SSH connections and IoT exploitation attempts via Hikvision and MikroTik vectors.
Threat Landscape Overview
Saturday brings no reduction in attacks: 1,985 SSH connections (88 IPs), 4,235 OpenCanary events (13 IPs), and 85 Galah web requests (35 IPs). The honeypot has now maintained critical severity for four consecutive days.
SSH Brute Force Analysis
2,392 login attempts with 365 commands — the exploitation depth is remarkably consistent. The same bulletproof hosting IPs continue their campaign. The uname -s -v -n -r -m command dominates post-auth activity, providing attackers with complete system identification: kernel name, version, hostname, release, and machine architecture.
The uname -a;w combination is particularly interesting — it grabs system info AND checks who’s logged in simultaneously, a classic post-exploitation first move.
IoT Exploitation Focus
Two distinct IoT attack vectors continue:
- MikroTik:
/ip cloud printcommand attempts identify compromised MikroTik routers for botnet recruitment - Hikvision:
/SDK/webLanguageHTTP requests target CVE-2017-7921, a critical authentication bypass in IP cameras
These vectors confirm that modern botnets don’t discriminate between traditional servers and IoT devices — anything internet-facing is a target.
Community Defense
7 IPs reported to AbuseIPDB. All data shared with AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.