Honeypot detection

My honeypots are sending out complaints on every single successful login.

Recently I saw the following logged entry in the complaint:

echo -en “\\x31\\x33\\x33\\x37”
cat /bin/ls

Now neither kippo nor cowrie as sshd-honeypots have the file “/bin/ls” which could be looked at,  so a  ‘cat /bin/ls’ just result in a :

‘cat: /bin/ls: No such file or directory’

So this seems to be an easy and reliable way to test for a standard sshd-honeypot..
No wonder that \\x31\\x33\\x33\\x37 just translates to “1337”, which I interpret as a smiley left by the hacker ..

Tags: , , , , , ,

Leave a Reply

You must be logged in to post a comment.