Tuesday, 5 May 2026 ๐Ÿ’€ critical

Daily Threat Report

1,986 SSH Connections
2,393 Login Attempts
365 Commands Run
88 SSH Unique IPs
4,235 Protocol Events
13 Protocol IPs
85 Web Honeypot Hits
35 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 45.156.87.254 BGPโ†—
  2. ๐ŸŒ 176.65.132.254 BGPโ†—
  3. ๐ŸŒ 87.251.64.176 BGPโ†—
  4. ๐ŸŒ 27.79.44.244 BGPโ†—
  5. ๐ŸŒ 27.79.45.168 BGPโ†—

Top Passwords Tried

  1. 123456
  2. admin
  3. 123
  4. password
  5. 1234

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 85 scanner requests from 35 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /
  2. /login
  3. /SDK/webLanguage
  4. /favicon.ico
  5. /og-default.png

Top User-Agents

  1. Go-http-client/1.1
  2. Mozilla/5.0 (Windows NT 10.0
  3. Win64
  4. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  5. Mozilla/5.0 (Windows NT 10.0
  6. Win64
  7. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
  8. vercel-favicon/1.0
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 7 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 7 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 7 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 7 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

admin
password
abc123
1qaz@WSX
qwe123

๐Ÿ’ป Commands They Tried

uname -a
uname -a;w
uname -s -m
uname -s -v -n -r -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 7 de May de 2026. Recorded 1986 SSH connections on the Cowrie honeypot and 4235 multi-protocol events on OpenCanary, from 101 unique IPs. 7 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 2393 login attempts from 88 unique IPs. Attackers executed 365 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 4235 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 13 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 85 HTTP requests from real scanners across 35 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’