Loading threats
Execution of ls -d /opt/sshesame /opt/hornet /opt/blacknet /opt/heralding 2>/dev/null | wc -l to check for the presence of default SSHesame, Hornet, Blacknet, or Heralding honeypot installation directories and return a numeric count of matches. The inclusion of wc -l indicates the result is being programmatically evaluated, reflecting automated honeypot or deception-environment fingerprinting prior to further attacker activity.
This attack primitive is part of the SikkerAPI detection catalog and is actively monitored across our global honeypot network. No IPs in the current retention window have triggered this detection signature.
When an attacker triggers this primitive, matched IPs will appear here with confidence scores, geolocation, and session details. Browse other SSH detections or look up a specific IP to check its threat profile.