Monday, 27 April 2026 ๐Ÿ”ด high

Daily Threat Report

784 SSH Connections
1,112 Login Attempts
9 Commands Run
77 SSH Unique IPs
362 Protocol Events
24 Protocol IPs
106 Web Honeypot Hits
51 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 172.23.0.2 BGPโ†—
  2. ๐ŸŒ 171.243.148.80 BGPโ†—
  3. ๐ŸŒ 87.251.64.176 BGPโ†—
  4. ๐ŸŒ 116.110.11.33 BGPโ†—
  5. ๐ŸŒ 116.110.5.114 BGPโ†—

Top Passwords Tried

  1. admin
  2. 123456
  3. 1234
  4. password
  5. 12345678

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 106 scanner requests from 51 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /
  2. /sitemap.xml
  3. /favicon.ico
  4. /.git/config
  5. /zc?action=getInfo

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko
  5. compatible
  6. ClaudeBot/1.0
  7. +claudebot@anthropic.com)
  8. Mozilla/5.0 (compatible
  9. Infrawatch/1.0
  10. +https://infrawat.ch/)
  11. Umai-Scanner/2.0 (+https://umai.entelijan.com/methodology)
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 172 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 172 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 172 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 172 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

111111
123321z
12345678
123456789
1234567890%*()
1234567890-=
1q2w3e4r
696969
abc123
admin123

๐Ÿ’ป Commands They Tried

uname -a

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 27 de April de 2026. Recorded 784 SSH connections on the Cowrie honeypot and 362 multi-protocol events on OpenCanary, from 101 unique IPs. 172 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 1112 login attempts from 77 unique IPs. Attackers executed 9 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 362 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 24 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 106 HTTP requests from real scanners across 51 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’