Loading threats
Execution of find /var/log -name '*.json' -newer /tmp 2>/dev/null | grep -iE 'cowrie|kippo|honey' | head -1 to locate recently modified JSON log files under /var/log and search for case-insensitive references to “cowrie”, “kippo”, or “honey”, returning only the first match. The use of -newer /tmp suggests interest in active or recently written logs, indicating automated detection of running honeypot activity based on structured log artifacts rather than static installation paths.
This attack primitive is part of the SikkerAPI detection catalog and is actively monitored across our global honeypot network. No IPs in the current retention window have triggered this detection signature.
When an attacker triggers this primitive, matched IPs will appear here with confidence scores, geolocation, and session details. Browse other SSH detections or look up a specific IP to check its threat profile.