Wednesday, 6 May 2026 🔴 high 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 6, 2026

High-intensity attack day with aggressive scanning from 98 unique IPs.

🌍 98 unique attackers ⚡ 1,964 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

Today’s threat landscape in our Raspberry Pi 5 honeypots is characterized by a high level of activity across multiple protocols. The SSH honeypot saw an influx of connections and login attempts, with commands executed indicating a sophisticated attacker base. Multi-protocol honeypots also experienced heightened engagement, reporting on various network services like FTP/Telnet/MySQL/Redis/VNC/Git. The HTTP LLM honeypot yielded 35 requests from 14 unique IPs, highlighting the importance of continuous monitoring and analysis.

SSH Brute Force Analysis

The SSH honeypot reported a significant number of connections and login attempts, with 2251 login attempts and 73 unique IP addresses. The most common password used was “123456,” followed by “admin” and “123.” Interestingly, attackers were also trying command line interfaces like “sshpass -f ~/.ssh/pass.txt sudo su”. This indicates a potential for lateral movement within the network.

Web Scanner Activity

The web scanner activity on our HTTP LLM honeypot includes 35 requests from 14 unique IPs. The most frequently scanned paths are “/SDK/webLanguage,” “/sitemap.xml,” ”/”, “/login,” and “/json/.” These observations suggest that attackers are targeting specific services or directories to gather information or perform reconnaissance.

One interesting trend is the high number of attacks originating from Brazil (IP 45.156.87.204), China (IP 176.65.132.254, 87.251.64.176, 87.251.64.145, 87.251.64.144) and the United States (IP 90.122.33.16). These locations indicate a global threat landscape where multiple countries are active in cyberattacks.

Community Defense

All reported IPs have been shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield for further investigation and defensive action. Our honeypot infrastructure is designed to be continuously monitored and updated, ensuring the system remains effective against emerging threats.

Rules of Engagement

The Raspberry Pi 5 honeypots are located in Spain and utilize open-source software. They provide a critical resource for threat intelligence analysis and defense against cyber attacks. The high level of activity across multiple protocols underscores the importance of robust security measures and continuous monitoring in today’s digital environment.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →