Honeypot Threat Report

Generated 2026-07-13 15:57 UTC

Summary

36920Total events
68Failed logins
2905Breaches
8129Commands
389Unique IPs
7Protocols hit
12Top level

Protocol coverage

ProtocolSensorEventsUnique IPsMax level
sshcowrie2978513312
mysqldionaea4877588
httpwebtrap150711310
smbdionaea608388
mssqldionaea70377
ftpdionaea67429
unknowndionaea6010

Alerts raised

RuleDescriptionLevelMITREHits
100106SSH tunneling attempt12T1572179
100150Honeypot breach — weak credential accepted10T10782905
100104Suspicious network command (wget/curl/nc)10T1105602
100305Web exploit / traversal attempt10T1190511
100208Known Windows exploit attempt10T12106
100211FTP file transfer on honeypot9T11051
100103Command executed in session8T10597526
100210Aggressive scanning (>=10 conns / 120s)8T104682
100306Aggressive web scanning (many requests / 60s)8T159510
100107Brute-force attack (>=5 fails / 60s)8T11103
100217FTP brute-force attack (>=5 logins / 60s)8T11101
100209MSSQL database service scan7T10464896
100102Honeypot session established7T10783097
100304Automated scanner / attack tool detected7T159589
100111Login attempt with default account7T107849
100303Credentials submitted to decoy login7T11104
100112SSH client detected (possible scan)6T10463015
100302Sensitive path / admin panel probed6T1595372
100206Inbound FTP connection6T104653
100216FTP credential captured6T11108
100108Password captured on failed login6T11103
100201Inbound SMB connection (probe)5T1046577
100301HTTP request to decoy web server3T1595521

Top source IPs

IPCountryOrgEventsAbuse
45.153.34.165The NetherlandsVMHeaven.io6084
45.156.87.34The NetherlandsVMHeaven.io6078
213.209.159.115GermanyFeo Prest SRL4436
91.92.42.52The Netherlands4004
195.178.110.227AndorraTechoff SRV Limited2075
2.57.122.150The NetherlandsTechoff SRV Limited1765
92.118.39.49United StatesPptechnology Limited1675
80.94.92.55The NetherlandsTechoff SRV Limited1231
195.178.110.217AndorraTechoff SRV Limited1197
45.148.10.18The NetherlandsTechoff SRV Limited1106

Top credentials tried

UsernamePasswordAttempts
adminadmin57
user123442
root1234518
root123417
root12345617
rootadmin17
rootpassword17
root1234567815
root11111114
root12312314

Top commands

CommandCount
uname -s -v -n -r -m2017
uname -s -v -n -m 2 > /dev/null602
head -1 /proc/version | cut -d -f1 )602
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null || /bin/uname -s -v -n -m 2>/dev/null || /usr/bin/uname -s -v -n -m 2>/dev/null || busybox uname -s -v -n -m 2>/dev/null || ( [ -f /proc/version ] && head -1 /proc/version | cut -d' ' -f1 ) || ( [ -f /etc/os-release ] && grep '^ID=' /etc/os-release | cut -d= -f2 | tr -d '"' ) || echo ""); arch=$(uname -m 2>/dev/null || /bin/uname -m 2>/dev/null || /usr/bin/uname -m 2>/dev/null || busybox uname -m 2>/dev/null || ( [ -f /proc/cpuinfo ] && grep -q "lm" /proc/cpuinfo && echo x86_64 ) || ( [ -f /proc/cpuinfo ] && grep -q "CPU architecture: 8" /proc/cpuinfo && echo aarch64 ) || ( [ -f /proc/cpuinfo ] && grep -q "CPU architecture: 7" /proc/cpuinfo && echo armv7l ) || echo ""); uptime=$(cat /proc/uptime 2>/dev/null || busybox cat /proc/uptime 2>/dev/null); cpus=$(nproc 2>/dev/null || /usr/bin/nproc 2>/dev/null || busybox nproc 2>/dev/null || grep -c "^processor" /proc/cpuinfo 2>/dev/null); cpu_model=$( { lscpu 2>/dev/null | awk -F: '/Model name/ {print $2}'; grep -m1 -E "^model name" /proc/cpuinfo 2>/dev/null | cut -d: -f2-; grep -m1 -E "^Hardware" /proc/cpuinfo 2>/dev/null | cut -d: -f2-; cat /proc/device-tree/model 2>/dev/null; } | sed '/^$/d; /unknown/d; s/^[[:space:]]*//; s/[[:space:]]*$//; s/ AArch64 Processor$//; s/ Processor$//; s/ CPU$//' | head -1 ); gpu_info=$( (lspci 2>/dev/null | grep -i vga; lspci 2>/dev/null | grep -i nvidia; busybox lspci 2>/dev/null | grep -i vga; busybox lspci 2>/dev/null | grep -i nvidia) 2>/dev/null ); last_output=$(last 2>/dev/null); filter_output=$( ( export LANG=C LC_ALL=C; echo '===SHELL_BEHAVIOR==='; printf 'path_err='; ( ./xxxxxx 2>&1 || true ) | ( head -c 250 2>/dev/null || busybox head -c 250 2>/dev/null || dd bs=250 count=1 2>/dev/null ) | ( tr -d '\n' 2>/dev/null || busybox tr -d '\n' 2>/dev/null || cat ); printf '\n'; printf 'cmd_err='; ( xxxxxx 2>&1 || true ) | ( head -c 250 2>/dev/null || busybox head -c 250 2>/dev/null || dd bs=250 count=1 2>/dev/null ) | ( tr -d '\n' 2>/dev/null || busybox tr -d '\n' 2>/dev/null || cat ); printf '\n'; printf 'execute_err='; out=$(bash -c 'printf "#!/bin/bash\necho \"xxxxxx\"\n" > filter && chmod +x filter && ./filter && rm -rf filter' 2>&1); case "$out" in *xxxxxx*) ;; *) out=$(/bin/bash -c 'printf "#!/bin/bash\necho \"xxxxxx\"\n" > filter && chmod +x filter && ./filter && rm -rf filter' 2>&1); case "$out" in *xxxxxx*) ;; *) out=$(/usr/bin/bash -c 'printf "#!/bin/bash\necho \"xxxxxx\"\n" > filter && chmod +x filter && ./filter && rm -rf filter' 2>&1); case "$out" in *xxxxxx*) ;; *) out=$(busybox sh -c 'printf "#!/bin/sh\necho \"xxxxxx\"\n" > filter && chmod +x filter && ./filter && rm -rf filter' 2>&1 || sh -c 'printf "#!/bin/sh\necho \"xxxxxx\"\n" > filter && chmod +x filter && ./filter && rm -rf filter' 2>&1); esac; esac; esac; printf '%s' "$out" | ( head -c 250 2>/dev/null || busybox head -c 250 2>/dev/null || dd bs=250 count=1 2>/dev/null ) | ( tr -d '\n' 2>/dev/null || busybox tr -d '\n' 2>/dev/null || cat ); printf '\n'; echo '===DONE===' ) 2>&1 ); echo "UNAME:$uname"; echo "ARCH:$arch"; echo "UPTIME:$uptime"; echo "CPUS:$cpus"; echo "CPU_MODEL:$cpu_model"; echo "GPU:$gpu_info"; echo "LAST:$last_output"; echo "FILTER:$filter_output"602
busybox uname -s -v -n -m 2 > /dev/null602
[ -f /proc/version ]602
[ -f /etc/os-release ]602
/usr/bin/uname -s -v -n -m 2 > /dev/null602
/bin/uname -s -v -n -m 2 > /dev/null602
( [ -f /proc/version ]602
Multi-protocol Honeypot & Real-Time Threat Analytics — automated report.