Analyzed session

Session ID: ef742862

Source IP: 129.154.[REDACTED].251

User: root

Timestamp: 2026-06-12T08:16:39Z

SSH client: SSH-2.0-PuTTY_Release_0.83 — the only non-Go in sessions with extensive commands

The full sequence

Session ef742862 arrived with root credentials and, once authenticated, ran exactly seven commands. None of them downloaded software, none established persistence, none exfiltrated data. All seven commands have a single purpose: to remove evidence of access.

root@host:~#journalctl --vacuum-size=1K
root@host:~#cat /dev/null > /var/log/wtmp
root@host:~#cat /dev/null > /var/log/btmp
root@host:~#cat /dev/null > /var/log/lastlog
root@host:~#cat /dev/null > /var/log/secure
root@host:~#history -c
root@host:~#history -w

What each command erases

The sequence is methodical. It covers the main forensic evidence vectors of an SSH intrusion:

CommandWhat it removes
journalctl --vacuum-size=1KTruncates the systemd journal to 1 KB, removing practically all system logs
cat /dev/null > /var/log/wtmpEmpties the user session log (used by last)
cat /dev/null > /var/log/btmpEmpties the failed login attempts log (used by lastb)
cat /dev/null > /var/log/lastlogEmpties each user's last-login log
cat /dev/null > /var/log/secureEmpties the SSH authentication log (on Red Hat/CentOS systems; equivalent to auth.log on Debian)
history -cClears the command history of the current bash session
history -wForces the history to be written to disk — in this case, writes an empty history over .bash_history

What it failed to erase

Here's the part that matters for defenders: the sequence is effective on systems without centralized logging, but fails in every environment with a SIEM or log shipper.

Detection rule

The sequence cat /dev/null > /var/log/wtmp followed by history -c && history -w is a highly specific signature of anti-forensics behavior. Any SIEM that logs command executions can alert on it.

Sigma rule: cmdline contains "cat /dev/null > /var/log" AND cmdline contains "history -c"

The PuTTY client as an anomaly

Another interesting indicator: while 99.5% of connections used SSH-2.0-Go, this session used SSH-2.0-PuTTY_Release_0.83. This suggests it could be a human operator (PuTTY is a GUI tool for Windows) rather than the main campaign's automated scanner. If so, there are two distinct actors: the automated Go scanner and at least one human operator who manually follows up on the accesses the scanner obtains.

Conclusion: silence is a signal too

In forensic analysis, the absence of logs is an indicator of compromise just as valid as their presence. If your authentication logs suddenly appear truncated or empty, it's not that "nothing happened" — it's that someone was there and erased them.

The defense is simple: never rely on local logs alone. If your authentication logs live solely on the disk of the compromised server, an attacker with root access can erase them in seven commands, in under ten seconds.

Data collected for cybersecurity research purposes. All information comes from unsolicited activity logged on our own infrastructure.

Data source
honeypot CipherSentry · session ef742862 · 2026-06-12T08:16:39Z
← All articles