Honeypot Data
Real attack data captured by our distributed sensor network. Raw observations, payload analysis, and threat intelligence from honeypots running across multiple deployment sites.
CVE-2026-0300 PAN-OS Captive Portal — the rondo-class kit and an OPSEC upgrade to Tor
PA disclosed a buffer-overflow in the User-ID Captive Portal on 2026-05-06. The 53-day hunt has tracked three distinct PoC kits (qassam-315, cl2120-third-variant, rondo-shellcode CL=2271) across multiple operator IPs. Latest event: 2026-05-30 morning, the CL=2271 rondo-class kit returned through four Tor exit IPs with three unique body sha256s — same backend operator multiplexing the same forged payloads across multiple Tor circuits. Filestore prune fix from 2026-05-28 held; all 6 bodies preserved.
CVE-2026-0257 PAN-OS GlobalProtect — Forged Auth-Override Cookies
PAN-OS GlobalProtect’s auth-override feature decrypts re-auth cookies
without checking a signature. Anyone with the public key (which is just the
TLS certificate) can forge a valid cookie and land as any user. Patched
2026-05-13, exploited in the wild from 2026-05-17, added to CISA KEV
2026-05-29. Our coverage: three Suricata signatures (9026330-9026332) plus a
PA-honeypot classifier that extracts the smoking-gun
portal-(prelogon)userauthcookie form field.
CVE-2026-23918 Apache mod_http2 — A Double-Free and a Honest Server Header
Apache 2.4.66’s mod_http2 double-frees worker memory when an
HTTP/2 stream is opened with HEADERS and immediately reset — one TLS
connection per crashed worker. Day-0 coverage: our HTTP honeypot now advertises
Server: Apache/2.4.66 (Ubuntu) mod_http2/2.0.32 + Upgrade:
h2,h2c so the public dork intext:"Apache/2.4.66" "HTTP/2" finds
us. Four Suricata signatures (9026500–9026503) target the recon shape: cleartext
h2c upgrade attempts, HEAD/GET / bursts, and the python h2-library UA family.
CVE-2026-42945 NGINX Rift — A Heap Overflow and Three Layers of Detection
A heap overflow in nginx’s rewrite module — long
runs of +/%2B in a /api/(.*) URI
smash the pool-cleanup buffer; a heap-spray POST body turns the crash
into unauth remote root. We shipped preemptive coverage on day 0:
a TLS/8443 honeypot with per-sensor unique certs and a fake-crash
oracle, four Suricata signatures targeting the structural shape of
the overflow trigger and the spray body, and 4 KB eBPF payload
capture on the same port. Day 1 has zero exploit-shape firings —
plenty of recon noise, no actual depthfirst-style attempts yet.
Kubernetes Under Siege — 13,798 Probes Across 9 K8s Ports in 7 Days
13,798 hits from 1,072 unique source IPs against a single-node K8s 1.26 honeypot. etcd leads with 4,453 / 105 sources; apiserver 6443 a close second (3,885 / 187); kubelet 10250 with command-execution probes (3,455 / 141). The Oracle-cloud 66.132/16 cluster shows up here, in the PAN-OS hunt, and on the NGINX Rift honeypot — same operator, three surfaces.
Attacking AI — 120 Prompts From 16 Unique Sources In 30 Days
Our OpenAI-compatible LLM honeypot (model
nexova-assistant-v2) logged 120 prompts across 19 sessions in 30
days. OWASP LLM Top 10 distribution: 67% LLM03 (Training Data Poisoning), 26%
BENIGN, 3.3% LLM02 (Sensitive Info Disclosure), 2.5% LLM05 (Output Handling),
0.8% LLM01 (Prompt Injection). 60% of attack traffic from two sources.
ICS/OT Under Siege — What 7 Industrial Protocols Tell You About Who’s Knocking
Seven ICS/OT honeypots ranked by traffic: Siemens S7comm 499, Modbus 227, IEC 60870-5-104 160, EtherNet/IP 128, OPC UA 100, DNP3 11, BACnet 6 (application-layer hits, sensor1, 7 days). Zero write attempts, zero breaker-flip commands — everything we saw was enumeration with intent, not action. Per-protocol PDU shape analysis inside.
Brute Force & Credential Attacks — 3.4 Million Auth-Relevant Events in 7 Days
Fleet-wide protocol leaderboard: SMTP 1.77M, RDP 996K, Telnet 510K, SSH 56K, ADB 11.5K, Redis 6.8K, VNC 6.3K, Memcached 3.2K. Per-sensor character (DEV is SMTP-heavy, PROD is the AD honeypot, slim is the public-IP scanner attractor). What we keep, what we throw away — selectivity that turns 50M monthly events into a 200K archive without losing what matters.
Palo Alto Honeypot — How Fast Do Attackers Find Your Firewall?
79 unique IPs probed our PAN-OS honeypot within 4 days. Management WebUI, GlobalProtect VPN, XML API, SSH CLI, and captive portal — every service got discovered. 780 SSH credential attempts, API key generation probes, and reconnaissance patterns across 5 monitored CVEs.
Known Vulnerabilities Exploited in the Wild — What Actually Hit Our Sensors This Month
The CVE-mapped subset of ~50M monthly events. Top of the leaderboard: CVE-2024-21762 FortiOS (still actively probed 16 months after disclosure), EternalBlue (~1,200 SMB hits), Log4Shell (~150 inbound JNDI payloads), Mirai/IoT (~510K Telnet). Three active hunts on the bottom: CVE-2026-0300, CVE-2026-42945, CVE-2026-23918.
FortiGate Honeypot — What Attackers Do When They Find a FortiOS Admin Surface
36 high-quality application-layer hits in 7 days: 22 banner-grabs, 8
CVE-2024-21762 path-pair probes, 2 CVE-2022-42475 path traversals (with the
doubled-slash modern variant), 2 cross-vector /php/login.php from
the rondo actor. Plus a Server-header anti-fingerprint fix story
(nginx → xxxxxxxx-xxxxx).
What Happens When You Expose a Service to the Internet
This blog has been live for 4 days. 226 unique IPs, 1,941 requests. Only 34% legitimate. The rest? PHPUnit exploits, .env harvesters, webshell spray, Apache path traversal, Exchange ProxyShell, and SSH handshakes on our HTTPS port.