Wednesday, 29 April 2026 ๐Ÿ’€ critical

Daily Threat Report

2,064 SSH Connections
2,906 Login Attempts
359 Commands Run
81 SSH Unique IPs
662 Protocol Events
17 Protocol IPs
76 Web Honeypot Hits
37 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 45.156.87.254 BGPโ†—
  2. ๐ŸŒ 176.65.132.17 BGPโ†—
  3. ๐ŸŒ 87.251.64.176 BGPโ†—
  4. ๐ŸŒ 116.110.219.1 BGPโ†—
  5. ๐ŸŒ 116.110.0.55 BGPโ†—

Top Passwords Tried

  1. 123456
  2. admin
  3. 123
  4. password
  5. 1234

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 76 scanner requests from 37 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /
  2. /sitemap.xml
  3. /og-default.png
  4. /zc?action=getInfo
  5. /login

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko
  5. compatible
  6. ClaudeBot/1.0
  7. +claudebot@anthropic.com)
  8. vercel-favicon/1.0
  9. Mozilla/5.0 (compatible
  10. Infrawatch/1.0
  11. +https://infrawat.ch/)
  12. Mozilla/5.0 (Windows NT 10.0
  13. Win64
  14. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 17 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 17 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 17 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 17 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

admin
password
abc123
support
qwe123

๐Ÿ’ป Commands They Tried

/bin/./uname -s -v -n -r -m
cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps
echo cat /proc/1/mounts && ls /proc/1/; curl2; ps aux; ps | sh
uname -a
uname -s -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 29 de April de 2026. Recorded 2064 SSH connections on the Cowrie honeypot and 662 multi-protocol events on OpenCanary, from 98 unique IPs. 0 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 2906 login attempts from 81 unique IPs. Attackers executed 359 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 662 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 17 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 76 HTTP requests from real scanners across 37 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’