90.596
Total SSH sessions
431
Attacker IPs
21
passwd attempts

The command that gives away the intent

Some commands change meaning depending on who runs them. passwd in the hands of an administrator is routine. In the hands of a freshly authenticated attacker, it is a statement: I did not come to steal data, I came to stay. The difference between reconnaissance and persistence fits in three commands.

# Typical session sequence with a passwd attempt
$uname -a
$id
$passwd

The uname and the id are last-second reconnaissance — confirming that the server is Linux and that root access is in hand. Then, straight away, passwd. No exploration, no downloads, no exfiltration commands. The script is short because the goal is simple.

Why it is more dangerous than installing malware

The technical detail that makes it hard to detect: passwd writes no file in unusual paths, opens no network ports, creates no new processes. Malware scanners look for artifacts — suspicious binaries, crontab entries, installed services. A password change leaves none of those traces.

What the honeypot saw — and the attacker did not

Result in the honeypot

The honeypot accepts the passwd as normal: it shows the change prompt, the attacker enters the new password, and receives confirmation. Everything appears to work.

The change is logged — but it does not persist on the real system. The honeypot returns confirmation to the attacker; in the next session, the original credentials are still valid. The signature stays in the log, not in the system.

Detection

The signals are clear. The problem is that they require active logging — most servers do not alert on passwd executions by default.

The only defense that covers every variant — passwd, chpasswd, usermod -p — is to monitor the file directly. Two lines of auditd on Debian/Ubuntu:

# Add to /etc/audit/rules.d/passwd.rules
-w /etc/shadow -p wa -k passwd_change
-w /etc/passwd -p wa -k passwd_change
# Apply without rebooting:
$augenrules --load
# Find the event in the log:
$ausearch -k passwd_change -i | tail -20

This rule logs any modification of the password file regardless of the method used. It does not matter whether the attacker used interactive passwd, chpasswd from a script, or usermod: if it touched /etc/shadow, auditd saw it.

The passwd command leaves no binaries. It opens no ports. It installs no services. What it leaves is silence — and silence, in cybersecurity, is the hardest signal to detect. The difference between a compromised system and a clean one fits in a single field of /etc/shadow. That field has no alarm by default. Now it can have one.

Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.

About the author
Pablo Cortés
Head of Research · CipherSentry. Analyzes real attack patterns captured by the SSH honeypot. Specialized in coordinated campaigns, persistence TTPs, and malware classification.
Data source
CipherSentry SSH honeypot · 2026-06-26 a 2026-06-28
← All articles