My honeypots are sending out complaints on every single successful login.
Recently I saw the following logged entry in the complaint:
echo -en “\\x31\\x33\\x33\\x37”
cat /bin/ls
Now neither kippo nor cowrie as sshd-honeypots have the file “/bin/ls” which could be looked at, so a ‘cat /bin/ls’ just result in a :
‘cat: /bin/ls: No such file or directory’
So this seems to be an easy and reliable way to test for a standard sshd-honeypot..
No wonder that \\x31\\x33\\x33\\x37 just translates to “1337”, which I interpret as a smiley left by the hacker ..