Sunday, 26 April 2026 ๐ŸŸ  medium

Daily Threat Report

526 SSH Connections
500 Login Attempts
18 Commands Run
76 SSH Unique IPs
126 Protocol Events
15 Protocol IPs
133 Web Honeypot Hits
43 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 172.23.0.2 BGPโ†—
  2. ๐ŸŒ 87.251.64.176 BGPโ†—
  3. ๐ŸŒ 27.79.41.79 BGPโ†—
  4. ๐ŸŒ 116.110.147.15 BGPโ†—
  5. ๐ŸŒ 193.32.162.145 BGPโ†—

Top Passwords Tried

  1. admin
  2. solana
  3. 123456
  4. 1234
  5. password

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 133 scanner requests from 43 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /
  2. /sitemap.xml
  3. /og-default.png
  4. /favicon.ico
  5. /.git/config

Top User-Agents

  1. Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
  2. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  3. Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 90 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 90 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 90 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 90 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

111111
12345678
123456789
1234567890
1234567890%*()
abc123
admin123
chi1234567890
master
password

๐Ÿ’ป Commands They Tried

uname -a ; echo 'vT'

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 26 de April de 2026. Recorded 526 SSH connections on the Cowrie honeypot and 126 multi-protocol events on OpenCanary, from 91 unique IPs. 90 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 500 login attempts from 76 unique IPs. Attackers executed 18 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 126 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 15 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 133 HTTP requests from real scanners across 43 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’