Wednesday, 6 May 2026 ๐Ÿ”ด high

Daily Threat Report

1,797 SSH Connections
2,251 Login Attempts
355 Commands Run
73 SSH Unique IPs
132 Protocol Events
11 Protocol IPs
35 Web Honeypot Hits
14 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 45.156.87.204 BGPโ†—
  2. ๐ŸŒ 176.65.132.254 BGPโ†—
  3. ๐ŸŒ 87.251.64.176 BGPโ†—
  4. ๐ŸŒ 87.251.64.145 BGPโ†—
  5. ๐ŸŒ 87.251.64.144 BGPโ†—

Top Passwords Tried

  1. 123456
  2. admin
  3. 123
  4. password
  5. 1234

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 35 scanner requests from 14 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /SDK/webLanguage
  2. /sitemap.xml
  3. /
  4. /login
  5. /json/

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko
  5. compatible
  6. ClaudeBot/1.0
  7. +claudebot@anthropic.com)
  8. Go-http-client/1.1
  9. Mozilla/5.0 (compatible
  10. CensysInspect/1.1
  11. +https://about.censys.io/)
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 12 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 12 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 12 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 12 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

admin
password
abc123
1qaz@WSX
qwe123

๐Ÿ’ป Commands They Tried

uname -a
uname -a;w
uname -s -m
uname -s -v -n -r -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 6 de May de 2026. Recorded 1797 SSH connections on the Cowrie honeypot and 132 multi-protocol events on OpenCanary, from 84 unique IPs. 12 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 2251 login attempts from 73 unique IPs. Attackers executed 355 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 132 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 11 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 35 HTTP requests from real scanners across 14 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’