Wednesday, 13 May 2026 ๐Ÿ’€ critical

Daily Threat Report

814 SSH Connections
632 Login Attempts
104 Commands Run
62 SSH Unique IPs
1,040 Protocol Events
15 Protocol IPs
71 Web Honeypot Hits
29 Web Honeypot IPs

Top Attacker IPs

  1. ๐ŸŒ 176.65.132.17 BGPโ†—
  2. ๐ŸŒ 221.163.62.81 BGPโ†—
  3. ๐ŸŒ 87.251.64.176 BGPโ†—
  4. ๐ŸŒ 80.94.92.182 BGPโ†—
  5. ๐ŸŒ 80.94.92.184 BGPโ†—

Top Passwords Tried

  1. admin
  2. 123456
  3. 123
  4. solana
  5. qwer1234

๐ŸŒ WEB HONEYPOT โ€” Galah LLM

AI-generated fake HTTP responses served to 71 scanner requests from 29 unique IPs. Model: qwen2.5:0.5b (local, offline).

Top Paths Probed

  1. /
  2. /login
  3. /favicon.ico
  4. /SDK/webLanguage
  5. /zc?action=getInfo

Top User-Agents

  1. Mozilla/5.0 (Windows NT 10.0
  2. Win64
  3. x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46
  4. Go-http-client/1.1
  5. Mozilla/5.0
  6. Mozilla/5.0 (compatible
  7. Infrawatch/1.0
  8. +https://infrawat.ch/)
# Automatic multi-platform threat intel reporting
$ honeypot-report.sh --since 24h
โ†’ 15 IPs โ†’ AbuseIPDB  (community confidence scores updated)
โ†’ 15 IPs โ†’ AlienVault OTX  (pulse indicators added)
โ†’ 15 IPs โ†’ Blocklist.de  (auto-ban list updated)
โ†’ 15 IPs โ†’ DShield/SANS  (global threat feed updated)

๐Ÿคฃ ATTACKER COMEDY CORNER

Real attempts. No actors were harmed in the making of this honeypot.

๐Ÿ”‘ Hall of Shame โ€” Passwords

admin
solana
qwer1234
ubuntu
validator

๐Ÿ’ป Commands They Tried

/bin/./uname -s -v -n -r -m
uname -a
uname -s -m
uname -s -v -n -r -m

These are real credentials and commands attempted by automated scanners and script kiddies. Logged, reported, and immortalized.

Automated report for 13 de May de 2026. Recorded 814 SSH connections on the Cowrie honeypot and 1040 multi-protocol events on OpenCanary, from 77 unique IPs. 15 IPs were automatically reported to the AbuseIPDB community database.

SSH Activity (Cowrie)

The SSH honeypot received 632 login attempts from 62 unique IPs. Attackers executed 104 commands after gaining simulated system access.

Multi-Protocol Activity (OpenCanary)

Detected 1040 events across services including FTP, Telnet, MySQL, Redis, VNC and Git from 15 distinct IPs. All events are access attempts against simulated production services.

HTTP Web Honeypot (Galah LLM)

The web honeypot received 71 HTTP requests from real scanners across 29 unique IPs. Each attacker received a fake response generated in real time by the local AI model qwen2.5:0.5b (Ollama, no internet connection required).

Network IDS (Suricata)

The network intrusion detection system generated 22918 alerts from 629 unique source IPs. Suricata monitors all traffic on the primary network interface using Emerging Threats + AlienVault OTX rulesets.

โ† All Reports ๐Ÿ›ก๏ธ Subscribe to blocklists โ†’