diff --git a/dionaea/log_wardenfiler.py b/dionaea/log_wardenfiler.py
index bd60dd3cc8580866e2a5ec435c845475e6f0078f..a4048698ee3618b5d1e221eb047183533a36e5b3 100644
--- a/dionaea/log_wardenfiler.py
+++ b/dionaea/log_wardenfiler.py
@@ -247,12 +247,14 @@ class LogWardenfilerHandler(ihandler):
             event["Attach"].append(attach)
         else:
             # login without password or similar thing
-            event["Category"].append("Intrusion.UserCompromise")
-            event["Note"] = "Failed login attempt"
+            event["Category"].append("Recon.Scanning")
+            event["Note"] = "Connection"
 
         if len(s["cmds"]):
-            event["Category"].append("Attempt.Exploit")
-            event["Note"] += " with unauthorized command input"
+            # consider this an exploit only if there was a login attempt
+            if len(s["creds"]):
+                event["Category"].append("Attempt.Exploit")
+            event["Note"] += " with command input"
             idata = "\n".join(str(c) for c in s["cmds"])
             plain = all(c in string.printable for c in idata)
             eidata = idata if plain else b64encode(idata.encode()).decode()