143.337
SSH sessions (8 days)
3.399
Silent probes
2,4%
Of all sessions
800
Unique attacking IPs

The signature is the absence

3,399 sessions did something very specific: authenticate and hang up. Not a single ls, not a wget, not one line. That's 2.4% of the traffic — a minority, but with a clear intent. Unlike an intrusion, which leaves a trail (commands, downloads, files), the probe leaves exactly the opposite: a successful authentication followed by nothing.

That stillness is the signal. In your logs it doesn't look like an attack: it looks like a user who logged in and left. That's why it goes unnoticed, and why it's worth hunting before the validated credential is actually used.

Which credentials they try: the clue is crypto

Here's the interesting part. Looking at ALL of the honeypot traffic (not just the silent probes), the most-tried username/password pairs aren't generic: they point to Solana infrastructure.

Most-tried username / password pairs (entire honeypot)

solana / solana (2.930) · sol / sol (2.879) · solv / 123456 (2.322) · ubuntu / ubuntu (2.210) · sol / 123 (2.045)

Four of the five most-tried pairs are service accounts on the Solana network (sol, solana, solv): validators and nodes. This isn't generic brute force; it's a campaign that hunts crypto machines by name.

The rest of the noise: GPU hunting

The sessions that do run commands tell the other half of the story: the three most-used commands are uname (49.4%), lspci (20.2%) and nvidia-smi (12.4%). It's hardware reconnaissance — the attacker checks whether the machine has a GPU before deciding what to do with it. The silent probe and the GPU hunt could be two faces of the same operation: validating access and cataloguing crypto targets.

Validate today to use tomorrow? An honest hypothesis

What the theory says

The usual explanation for probing is credential validation for deferred use: one node confirms which pairs work and another, later and from a different IP, exploits them. Splitting the two tasks makes correlation harder and keeps the probe "harmless".

In all honesty: we present it as a hypothesis consistent with known botnet tactics. We're adding our own metric to measure how many of the probing IPs later come back to run commands; until it's consolidated, we don't claim the full chain as fact.

How to hunt it

Hunting a probe is easier than hunting an intrusion, precisely because its signature is inactivity:

See it on your own dashboard

This isn't abstract theory: it's what you'd see on the CipherSentry dashboard with your own nodes — every probe, every credential tried and every origin, in real time.

CipherSentry · Inteligencia de amenazas ● en vivo 143.337SESIONES SSH 3.399SONDEOS SILENCIOSOS · 2,4% 800IPS ATACANTES Credenciales más probadas campaña Solana solana / solana2.930 sol / sol 2.879 solv / 123456 2.322 ubuntu / ubuntu2.210 sol / 123 2.045
Illustrative view of the CipherSentry dashboard · real honeypot figures (snapshot 2026-06-19 18:54 UTC).
Want to see this with your own servers?
Deploy an open source sensor in 2 minutes and start capturing your own attacks.
See the product →

What your logs aren't telling you

The most uncomfortable thing about this pattern is that it doesn't look like an attack. You won't see an "intrusion": you'll see a "successful authentication". If that credential is validated today, the day someone uses it they'll come in looking legitimate. Hunt the probe —the session that comes in and leaves without doing anything— instead of waiting for the noisy phase: by then, it won't look like an attack anymore.

Data collected for cybersecurity research purposes. Figures taken from the KPIs of the CipherSentry SSH honeypot in production (window 2026-06-11 to 2026-06-19). All information comes from unsolicited activity recorded on our own infrastructure.

Data source
KPIs of the CipherSentry SSH honeypot · window 2026-06-11 to 2026-06-19
← All articles