Thursday, 7 May 2026 ๐Ÿ’€ critical

Daily Threat Report

1,396 SSH Connections
1,350 Login Attempts
256 Commands Run
91 SSH Unique IPs
4,223 Protocol Events
11 Protocol IPs
120 Web Honeypot Hits
47 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 45.156.87.254 BGPโ†—
  2. ๐ŸŒ 87.251.64.176 BGPโ†—
  3. ๐ŸŒ 27.79.44.244 BGPโ†—
  4. ๐ŸŒ 27.79.5.15 BGPโ†—
  5. ๐ŸŒ 27.79.46.114 BGPโ†—

Top Passwords Tried

  1. admin
  2. 123456
  3. 1234
  4. 123
  5. password

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 120 scanner requests from 47 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /
  2. /login
  3. /SDK/webLanguage
  4. /favicon.ico
  5. /og-default.png

Top User-Agents

  1. Go-http-client/1.1
  2. Mozilla/5.0 (Windows NT 10.0
  3. Win64
  4. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  5. Mozilla/5.0 (Macintosh
  6. Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
  7. Mozilla/5.0 (compatible
  8. CensysInspect/1.1
  9. +https://about.censys.io/)
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 10 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 10 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 10 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 10 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

admin
password
abc123
ubuntu
admin123

๐Ÿ’ป Commands They Tried

uname -a
uname -a;w
uname -s -v -n -r -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 7 de May de 2026. Recorded 1396 SSH connections on the Cowrie honeypot and 4223 multi-protocol events on OpenCanary, from 102 unique IPs. 10 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 1350 login attempts from 91 unique IPs. Attackers executed 256 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 4223 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 11 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 120 HTTP requests from real scanners across 47 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’