Saturday, 9 May 2026 ๐Ÿ’€ critical

Daily Threat Report

1,832 SSH Connections
1,988 Login Attempts
437 Commands Run
83 SSH Unique IPs
1,803 Protocol Events
10 Protocol IPs
150 Web Honeypot Hits
51 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 45.156.87.99 BGPโ†—
  2. ๐ŸŒ 45.156.87.204 BGPโ†—
  3. ๐ŸŒ 87.251.64.176 BGPโ†—
  4. ๐ŸŒ 192.95.10.214 BGPโ†—
  5. ๐ŸŒ 192.95.10.220 BGPโ†—

Top Passwords Tried

  1. 123456
  2. admin
  3. 123
  4. password
  5. 1234

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 150 scanner requests from 51 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /
  2. /login
  3. /SDK/webLanguage
  4. /sitemap.xml
  5. /SQLiteManager/main.php

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Go-http-client/1.1
  5. Mozilla/5.0 (Windows NT 5.1
  6. rv:9.0.1) Gecko/20100101 Firefox/9.0.1
  7. Mozilla/5.0 (compatible
  8. CensysInspect/1.1
  9. +https://about.censys.io/)
  10. Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko
  11. compatible
  12. ClaudeBot/1.0
  13. +claudebot@anthropic.com)
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 10 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 10 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 10 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 10 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

admin
password
1qaz@WSX
abc123
ubuntu

๐Ÿ’ป Commands They Tried

/bin/./uname -s -v -n -r -m
uname -a
uname -s -m
uname -s -v -n -r -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 9 de May de 2026. Recorded 1832 SSH connections on the Cowrie honeypot and 1803 multi-protocol events on OpenCanary, from 93 unique IPs. 10 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 1988 login attempts from 83 unique IPs. Attackers executed 437 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 1803 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 10 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 150 HTTP requests from real scanners across 51 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’