Honeypot Threat Analysis — May 7, 2026
Critical threat level — massive coordinated attack activity across all honeypot services.
Threat Landscape Overview
As of today’s update on May 7th, our Raspberry Pi 5 honeypot lab continues to be a significant asset in threat intelligence. We have observed a total of 1396 SSH connections and 1350 login attempts from diverse sources.
The latest activity includes executing 256 commands across multiple IPs, with unique IP addresses reported on each event, indicating a high level of engagement from the attackers. Additionally, we identified 91 distinct IP addresses that attempted login to our honeypot.
Moving forward in this week’s data review:
- SSH Honeypot (Cowrie): The most active component, seeing over 1300 login attempts and executing a substantial number of commands.
- Multi-protocol Honeypot (OpenCanary): While it has reported fewer events compared to the SSH honeypot, it still sees significant activity in FTP/Telnet/MySQL/Redis/VNC/Git, with 4223 events across multiple IPs.
This week saw a slight uptick in HTTP scanning activity on our Galah + qwen2.5 AI-based platform, generating only 120 requests but involving 47 unique IP addresses.
The top attacker IPs identified are [“45.156.87.254”, “87.251.64.176”, “27.79.44.244”, “27.79.5.15”, “27.79.46.114”], with a notable pattern of attempting the common password “admin”.
In terms of HTTP paths scanned, “/favicon.ico” and “/og-default.png” are among the top targets.
SSH Brute Force Analysis
The SSH honeypot has seen an increase in brute force attempts this week, indicating a persistent focus on weak passwords. The most commonly tried passwords include “123456”, “1234”, “123”, and “password”. This trend suggests that attackers are still targeting common vulnerabilities.
Web Scanner Activity
The web scanner activity is noteworthy with 120 requests from various IP addresses. The HTTP paths scanned most frequently were ”/”, “/login”, “/SDK/webLanguage”, “/favicon.ico”, and “/og-default.png”. The high frequency of scanning these paths indicates an interest in finding vulnerabilities or misconfigurations within the honeypot environment.
Notable Trends
- Critical Severity: The recent data underscores the importance of continuous monitoring, as even a small number of attackers can be indicative of larger threats.
- Top Attacker IPs: The reported 10 unique IPs to AbuseIPDB highlight the potential for network traffic analysis and intelligence gathering by threat actors.
- Common Passwords: Persistent brute force attempts with “admin”, “123456”, “1234”, “123”, and “password” suggest a level of automation or script-kiddie activity.
Community Defense
We have reported the following IPs to relevant security databases:
- AbuseIPDB: 10
- AlienVault OTX: N/A (to be updated)
- Blocklist.de: N/A (to be updated)
- SANS DShield: N/A (to be updated)
By sharing these details, we aim to contribute positively to the cybersecurity community and aid in identifying potential threats.
Conclusion
As our honeypot lab continues to evolve, it is crucial that we stay vigilant against emerging threats. The insights from today’s data provide valuable information on attack patterns, password trends, and scanning behaviors. By maintaining a robust security posture and continuously monitoring new environments, such as Raspberry Pi 5 honeypots, we can effectively defend against evolving cyber threats.
Stay tuned for further updates and continued improvements in our threat intelligence capabilities!
This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.