11
Commands
5
Ways to install neofetch
368 KB
Binary downloaded
Critical
Threat
268.155 SESIONES CAPTURADAS 1.169 IPS ÚNICAS 368 KB BINARIO CAPTURADO EN ESTA SESIÓN
Illustrative view of the CipherSentry dashboard · figures from the full historical corpus of the honeypot (accumulated as of the article's date; the live counter on the homepage reflects recent traffic).

It wasn't a bot: it was a person

The clue is in the SSH client. Most of the attacks we see come from automated libraries that announce themselves. This session arrived from Bitvise SSH Client (Tunnelier) 9.61 — a graphical Windows client. There was someone behind the keyboard.

They logged in as root with the password admin123. A weak credential, tried by hand, that worked against the decoy. And what they did next looks nothing like a script: it looks like a person poking around.

First, the reconnaissance

The first command was a burst of system reconnaissance on a single line — who am I, what CPU, how much RAM, how much disk, how long it's been up:

#uname -a && cat /etc/os-release && lscpu | grep "Model name" && free -h && df -h && uptime

So far, normal. Reconnaissance is the first step of almost any intrusion. The interesting part is what came next: instead of installing a miner, a bot or a backdoor, our visitor wanted something far more vain.

Five attempts to install neofetch

neofetch is a tool that draws the system logo and its specs in color — the typical "look at my machine" screenshot. And this person was determined to run it. When one method failed in the isolated environment, they tried another:

# 1 — el gestor de paquetes
#apt update && apt install neofetch -y
# 2 — descargar y ejecutar de un tirón
#curl -Ls hxxps://raw[.]githubusercontent[.]com/dylanaraps/neofetch/master/neofetch | bash
# 3 — bajarlo, darle permisos y correrlo
#wget hxxps://raw[.]githubusercontent[.]com/dylanaraps/neofetch/master/neofetch
#chmod +x neofetch && ./neofetch
# 4 — vía snap
#snap install neofetch && neofetch
# 5 — al final, rendirse y probar la alternativa
#apt install screenfetch -y && screenfetch

Five routes to the same trivial goal. A bot doesn't do that — a bot runs its recipe and leaves. This is someone troubleshooting live, getting frustrated with a system that wasn't giving back what they expected.

Why we still flag it as critical

The second attempt is the reason. curl ... | bash downloads a script from a URL and runs it directly, without touching disk or any review. The honeypot captured the real content: a 368 KB shell script. It turned out to be the legitimate neofetch. But we didn't know that until we captured it — and that's exactly the point.

The lesson of curl | bash

The pattern is dangerous by design, not because of the specific payload. Whoever controls that URL decides what runs on your machine, today and tomorrow. Today it was neofetch; one change on the remote server and tomorrow it's something else. That's why it's flagged critical regardless of what it returns: the risk is the mechanism, not the file.

The trail: where it came from

The connection came from infrastructure in Istanbul (ArvanCloud, AS57568), at 18:39 local time — 15:39 UTC. An afternoon: a plausible time for a person, not for a cron job. An important nuance, with no embellishment: that's the origin of the infrastructure, not necessarily where the person typing is. ArvanCloud is hosting/CDN and may well be an intermediate hop.

NL Países Bajos · 65% EE. UU. BG Estambul · la persona Tráfico automatizado (bots) La persona de esta sesión
Where traffic to the honeypot comes from · top origins by number of sessions · real honeypot figures.

The most revealing cross-reference: 65% of the traffic comes from hosting in the Netherlands — cheap bot farms replicating the same sweep over and over. The person in this session didn't come from there: they came from Istanbul, outside the focus of the noise. Two worlds in the same decoy.

IOC — captured binary

sha256: 2a272bbaa1275f21835fd3258fb8032ccdc98348e6ccb9cf58acacd366340170

shell script · 368 KB · neofetch (MIT, legitimate). The full hash lets you verify that what was downloaded was the real neofetch and not an impostor with the same name. It's what separates "it looked harmless" from "we checked it".

And here's the number that puts this in context: the sessions that arrive with a desktop client (Bitvise, PuTTY) number 1,409 of 268,155 — barely 0.5% of the traffic. The vast majority are headless libraries repeating a recipe. This one had someone deciding live.

And a cross-reference that puts neofetch in its place: across the 268,155 sessions in the corpus, the #1 command is uname (106,796 times), and the podium is dominated by hardware reconnaissance — grep, lspci, nvidia-smi. This person just wanted the pretty version of what almost everyone does right after getting in: figuring out what machine they've landed on. The difference is that they tried it five times, by hand.

Human vs bot: why the difference matters

Separating human sessions from automated ones changes how you prioritize. Three signals that gave this person away:

A human attacker changes the risk calculation: they improvise, they try what you didn't expect, and sometimes they come back. Treating every intrusion as automated noise makes you miss exactly the ones with a person behind them.

What to do

What's valuable about this session isn't neofetch. It's the reminder that, beneath the figures, there are people making decisions in real time. For years we've treated intrusions as automated noise. A well-placed decoy is where you finally see the adversary — not their log, them.

Who's getting into your machines — and what do they do inside?

CipherSentry deploys an SSH decoy that captures every real command and every real download, isolates them and shows them to you on a dashboard. We watched this person install neofetch five times; you'll see whoever knocks on your door.

See how it works →

Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure. IP and URLs obfuscated ([.], hxxp) to prevent accidental clicks.

Data source
honeypot CipherSentry · sesión 9d00286f · IP 194.5.[REDACTED].238 · 2026-06-17 · contexto: 268.155 sesiones / 1.169 IPs
← All articles