Understanding SSH Honeypot Logs: Attackers Fingerprinting Honeypots, (Thu, Jul 11th)

Some of the commands observed can be confusing for a novice looking at ssh honeypot logs. Sure, you have some obvious commands like “uname -a” to fingerprint the kernel. However, other commands are less intuitive and are not commands a normal user would use. I am trying to summarize some of the more common ones here, focusing on commands attackers use to figure out if they are inside a honeypot.

Article Link: Understanding SSH Honeypot Logs: Attackers Fingerprinting Honeypots - SANS Internet Storm Center