Sunday, 10 May 2026 🔴 high 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 10, 2026

High-intensity attack day with aggressive scanning from 151 unique IPs.

🌍 151 unique attackers ⚡ 1,327 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

As of today’s data update on May 10, our Raspberry Pi 5 honeypot lab is thriving with an active threat landscape. The SSH honeypot has seen a surge in activity over the past few days, handling 993 connections and receiving 960 login attempts. Among these, 197 commands have been executed, indicating that attackers are actively probing for vulnerabilities or trying to escalate their access. Unique IP addresses from this honeypot have numbered 96.

On the other side of our network lies the Multi-Protocol Honeypot (OpenCanary), which has logged 154 events and tracked 9 unique IPs across multiple protocols: FTP, Telnet, MySQL, Redis, VNC, and Git. This indicates that our lab is successfully attracting a diverse range of attackers.

Moving on to the HTTP LLM honeypot, we’ve had 180 requests in total, with 46 IP addresses involved. The HTTP paths scanned include ”/”, “/SDK/webLanguage”, “/sitemap.xml”, “/login”, and “www.google.com:443”. This suggests that our system is also being used for general web scanning or attempting to exploit known vulnerabilities.

The severity of these activities has been classified as high, highlighting the importance of continuous monitoring. The total unique attackers reported in this timeframe are approximately 151, with a noteworthy trend towards multiple IPs within the top attack list. Top attackers include “176.65.132.129”, “87.251.64.176”, “2.57.122.238”, “192.95.10.220”, and “192.95.10.214”.

The most frequently tried passwords have been “123456”, “admin”, “123”, “12345678”, and “1234”. This suggests that weak passwords are still being tested, possibly as a security measure or due to poor password management.

SSH Brute Force Analysis

In terms of the SSH honeypot, there has been significant activity from brute force attempts. The attack patterns indicate that attackers are using common weak passwords like “123456”, “admin”, and “password”. These types of attacks are often a precursor to more sophisticated hacking methods.

When login attempts fail, it’s notable that many users are attempting to execute commands rather than simply logging in. This suggests that the attackers may be attempting unauthorized access or trying to escalate their privileges within the system.

Web Scanner Activity

The web scanner activity from our honeypot is not as active but still holds interest. With 46 unique IP addresses, it’s clear that these IPs are scanning various HTTP paths on our platform. The path “/login” appears most frequently among those scanned by attackers, which could indicate a common entry point for unauthorized access.

One of the most significant trends observed is the high rate of multi-protocol attacks. While SSH and web scanner activity have been steady, the number of unique IPs across multiple protocols suggests that attackers are exploring different attack vectors to find vulnerabilities or test their abilities on our honeypot environment.

Another notable trend is the frequency of weak password attempts. This underscores the importance of strong password policies and regular security audits to prevent unauthorized access.

Community Defense

Our lab infrastructure has been shared with several reputable cybersecurity communities, including AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. These partnerships help ensure that our honeypot remains a valuable resource for threat intelligence researchers and analysts worldwide.

Finally, it’s worth noting that the Raspberry Pi 5 hardware we use as part of this lab is open-source, offering flexibility and cost-effectiveness in developing security solutions at scale.

In summary, while our honeypots have faced their share of challenges, they continue to be a vital tool for detecting and mitigating potential threats. With ongoing updates and improvements, the threat landscape remains dynamic, and our approach must remain vigilant and adaptive.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →