Re: Interesting information about SSH scans

[Daniel Cid <danielcid () yahoo com br>]

Hi Philipp (and everyone else),

I'm responding here to everyone who contacted me.

1- The password that I found strange were
"root012345678" or "root01234567890", not the ones
that are based on the keyboard layout. However, I do
have to agreee that are probably a lot of systems
using these bad passwords.

2- My modified version is very simple that I won't
send out a diff. I basically just downloaded the last
version from openssh.org and added these two lines on
auth-passwd.c (on line 80 of the file -- just after
the beginning of the auth_password function):

if(strlen(password) > 1))
error("user: %s, pass: %s", authctxt->user, password);

3- Regarding the location of the scans, they look very
disperse (my box is in the US). I got two from Brazil,
one from the UK, one from NL, one from Japan, two from
India(from the same ISP), 2 from the USA and 1 from
Canada...

Thanks,


--
Daniel B. Cid, CISSP
daniel.cid (at) gmail.com
http://www.ossec.net/hids/




--- Philipp Frik <Philipp.Frik () physik lmu de>
escreveu:

> Daniel Cid schrieb:
>
> > I set up some honeypots and also made a few
> > modifications to the ssh daemon to print out the
> > passwords these scans were trying to use. I noticed
> a
> > reduction in the number of scans, but I still got a
> > few in the last few days.
> >  
> Is it possible to get your modified Vesion?
>
> > Basically I noticed 2 different scans.
> >
> > ** Scan 1 - Attempt many passwords against the root
> > account and a lot of attempts against
> common/default
> > accounts (with the password being the same as the
> > account name). Interesting is that some of the
> > passwords for root doesn't look very simple and
> some
> > use keyboard combinations (probably common too). 
> > Received scans of this type from 7 different IPS
> (same
> > passwords, users, etc).
> >
> > ** Scan 2 - Attempt a lot of strange passwords
> against
> > the root and admin account. Look bellow to see why
> I
> > think they are strange. Looks like the scanner is
> > broken :)
> > Received scans of this type from 3 different IPS.
> >
> >  
> At the first look they seem to be safe ;), but if
> you look at the
> password an then on your keyboard you see that this
> is only a playing
> with the first keys.  They aren't simple like "asdf"
> but they are simple ;)
>
> How different are the IPs ? Came it from the same
> ISP? Or completly
> different ISPs? Is it possible that the attacks came
> from hacked server
> out there?
>
> > *** User, password combinations:
> >
> > ** Scan 1 (user, password combinations):
> > user root, pass: 1qaz2wsx
> > user root, pass: 1q2w3e4r5t6y
> > user root, pass: 1qaz2wsx3edc4rfv
> > user root, pass: qazwsxedcrfv
> > user root, pass: webmaster
> > user root, pass: michael
> > user root, pass: work
> > user root, pass: maggie
> > user root, pass: print
> > user root, pass: 123456
> > user root, pass: root1234
> > user root, pass: 1qaz2wsx3edc
> > user root, pass: qazwsxedc
> > user root, pass: qazwsx
> > user root, pass: internet
> > user root, pass: mobile
> > user root, pass: windows
> > user root, pass: superman
> > user root, pass: 1q2w3e4r
> > user root, pass: network
> > user root, pass: system
> > user root, pass: administrator
> > user root, pass: 123qwe
> > user root, pass: manager
> > user root, pass: redhat
> > user root, pass: fedora
> > user root, pass: okmnji
> > user root, pass: qwerty
> > user root, pass: httpd
> > user root, pass: linux
> > user root, pass: coder
> > user root, pass: www
> > user root, pass: 123123
> > user root, pass: 1234567890
> >
> > user james, pass: james
> > user cvs, pass: cvs
> > user tony, pass: tony
> > user bill, pass: bill
> > user print, pass: print
> > user maggie, pass: maggie
> > user info, pass: info
> > user http, pass: http
> > user ftp, pass: ftp
> > user dany, pass: dany
> > user suse, pass: suse
> > user oracle, pass: oracle
> > user tomcat, pass: tomcat
> > user backup, pass: backup
> > user id, pass: id
> > user sgi, pass: sgi
> > user postgres, pass: postgres
> > user flowers, pass: flowers
> > user internet, pass: internet
> > user linux, pass: linux
> > user nokia, pass: nokia
> > user bash, pass: bash
> > user mysql, pass: mysql
> > user webmaster, pass: webmaster
> >
> >
> > ** Scan 2 (user, password combinations):
> > These passwors look very strange... Does anyone
> > will ever use a password of root1234567890? :)
> >
> >  
> You wouldn't never use passwords like this, but
> there a many stupid
> people outside they use passwords like this.
>
> > user root, pass: root12
> > user root, pass: root123
> > user root, pass: root1234
> > user root, pass: root12345
> > user root, pass: root123456
> > user root, pass: root1234567
> > user root, pass: root12345678
> > user root, pass: root123456789
> > user root, pass: root1234567890
> >
> > user admin, pass: admin
> > user admin, pass: admin1
> > user admin, pass: admin12
> > user admin, pass: admin123
> > user admin, pass: admin1234
> > user admin, pass: admin12345
> > user admin, pass: admin123456
> > user admin, pass: admin1234567
> > user admin, pass: admin12345678
> > user admin, pass: admin123456789
> > user admin, pass: admin1234567890
> >
> >
> > Thanks,
> >  
>
> Philipp



        



        
                
_______________________________________________________ 
Yahoo! doce lar. Faça do Yahoo! sua homepage. 
http://br.yahoo.com/homepageset.html