Saturday, 9 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 9, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 144 unique attackers ⚡ 3,785 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

Today’s activity in our Raspberry Pi honeypots reveals a robust yet somewhat predictable threat landscape. The SSH honeypot has seen a steady influx of connections and login attempts, with 1832 unique IP addresses connecting to it, including 437 commands executed. This is not surprising as thehoneypot attracts curious users looking for information about secure systems.

The Multi-protocol honeypot generated over 1803 events across various protocols—FTP, Telnet, MySQL, Redis, VNC, and Git. The high number of events indicates a diverse approach by attackers to test different security measures.

The HTTP LLM honeypot has processed only 150 requests but had 51 unique IP addresses involved. This suggests that while the attack volume is smaller than others, it’s focused on probing specific vulnerabilities.

Severity: Critical

Overall, today’s activity demonstrates a critical threat level, with multiple attempts and commands executed, indicating malicious intent.

SSH Brute Force Analysis

The SSH honeypot has been particularly active today. While many connections were from legitimate users, a significant number of login attempts have been detected, totaling 1988. The top used passwords are “123456,” “admin,” “123,” and “password.” Attackers also attempted to execute commands on the honeypot system, with 437 unique IPs involved.

The high number of login attempts combined with the execution of commands suggests that many attackers are testing for vulnerabilities or attempting to gain unauthorized access. This indicates a continued need for strong password policies and secure authentication mechanisms.

Web Scanner Activity

In today’s activity report, we observe an increase in web scanning efforts using multiple protocols like FTP, Telnet, MySQL, Redis, VNC, and Git. The HTTP LLM honeypot has processed 150 requests across various paths:

  • ”/”: A frequent path indicates that many attackers are simply checking for the presence of services.
  • “/login”: This is a common URL used to test login mechanisms on web servers.
  • “/SDK/webLanguage”: An unusual path, suggesting an interest in language detection or translations.
  • “/sitemap.xml”: Likely targeted by those looking to scan website structures and content.
  • “/SQLiteManager/main.php”: Another interesting route for testing database management systems.

This activity underscores the importance of thorough security audits and regular updates on web servers and databases.

Top Attacker IPs

  1. 45.156.87.99
  2. 45.156.87.204
  3. 87.251.64.176
  4. 192.95.10.214
  5. 192.95.10.220

Top Passwords Tried

  1. “123456”
  2. “admin”
  3. “123”
  4. “password”

These trends show that the most common passwords being used are simple and easily guessable, highlighting the need for stronger password policies.

Top HTTP Paths Scanned

  1. ”/”

    • Indicates checking for services.

  2. “/login”

    • Commonly tested login paths.

  3. “/SDK/webLanguage”

    • An interest in language detection or translations.

  4. “/sitemap.xml”

    • Scanning website structures and content.

  5. “/SQLiteManager/main.php”

    • Testing database management systems.

This data suggests that attackers are looking for vulnerabilities, whether through brute force attacks on the honeypot or probing common paths on web servers and databases.

Community Defense

The IPSec honeypot has reported 10 unique IP addresses to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. This indicates that our network is receiving warnings from these security services for potential threats originating from this environment.

Rules

  • Monitor SSH traffic closely.
  • Update passwords frequently.
  • Perform regular web server and database audits.
  • Stay updated with the latest security patches.

Conclusion

The Raspberry Pi honeypot lab has proven to be a valuable tool in detecting and monitoring threats. The high level of activity today, including brute force attempts, HTTP scanning, and password patterns, underscores the importance of continuous improvement in cybersecurity measures. This data is invaluable for enhancing the security posture of our network and improving defenses against potential attackers.

The honeypot’s infrastructure remains robust, with a mix of active connections from various IP addresses and diverse attack vectors. The community defense efforts reported by AbuseIPDB add another layer of protection, showing that collective vigilance plays a crucial role in cybersecurity.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →