Security Incidents mailing list archives
Re: Interesting information about SSH scans
From: Daniel Cid <danielcid () yahoo com br>
Date: Thu, 9 Mar 2006 19:12:44 -0300 (ART)
Hi Philipp (and everyone else), I'm responding here to everyone who contacted me. 1- The password that I found strange were "root012345678" or "root01234567890", not the ones that are based on the keyboard layout. However, I do have to agreee that are probably a lot of systems using these bad passwords. 2- My modified version is very simple that I won't send out a diff. I basically just downloaded the last version from openssh.org and added these two lines on auth-passwd.c (on line 80 of the file -- just after the beginning of the auth_password function): if(strlen(password) > 1)) error("user: %s, pass: %s", authctxt->user, password); 3- Regarding the location of the scans, they look very disperse (my box is in the US). I got two from Brazil, one from the UK, one from NL, one from Japan, two from India(from the same ISP), 2 from the USA and 1 from Canada... Thanks, -- Daniel B. Cid, CISSP daniel.cid (at) gmail.com http://www.ossec.net/hids/ --- Philipp Frik <Philipp.Frik () physik lmu de> escreveu:
Daniel Cid schrieb:I set up some honeypots and also made a few modifications to the ssh daemon to print out the passwords these scans were trying to use. I noticedareduction in the number of scans, but I still got a few in the last few days.Is it possible to get your modified Vesion?Basically I noticed 2 different scans. ** Scan 1 - Attempt many passwords against the root account and a lot of attempts againstcommon/defaultaccounts (with the password being the same as the account name). Interesting is that some of the passwords for root doesn't look very simple andsomeuse keyboard combinations (probably common too). Received scans of this type from 7 different IPS(samepasswords, users, etc). ** Scan 2 - Attempt a lot of strange passwordsagainstthe root and admin account. Look bellow to see whyIthink they are strange. Looks like the scanner is broken :) Received scans of this type from 3 different IPS.At the first look they seem to be safe ;), but if you look at the password an then on your keyboard you see that this is only a playing with the first keys. They aren't simple like "asdf" but they are simple ;) How different are the IPs ? Came it from the same ISP? Or completly different ISPs? Is it possible that the attacks came from hacked server out there?*** User, password combinations: ** Scan 1 (user, password combinations): user root, pass: 1qaz2wsx user root, pass: 1q2w3e4r5t6y user root, pass: 1qaz2wsx3edc4rfv user root, pass: qazwsxedcrfv user root, pass: webmaster user root, pass: michael user root, pass: work user root, pass: maggie user root, pass: print user root, pass: 123456 user root, pass: root1234 user root, pass: 1qaz2wsx3edc user root, pass: qazwsxedc user root, pass: qazwsx user root, pass: internet user root, pass: mobile user root, pass: windows user root, pass: superman user root, pass: 1q2w3e4r user root, pass: network user root, pass: system user root, pass: administrator user root, pass: 123qwe user root, pass: manager user root, pass: redhat user root, pass: fedora user root, pass: okmnji user root, pass: qwerty user root, pass: httpd user root, pass: linux user root, pass: coder user root, pass: www user root, pass: 123123 user root, pass: 1234567890 user james, pass: james user cvs, pass: cvs user tony, pass: tony user bill, pass: bill user print, pass: print user maggie, pass: maggie user info, pass: info user http, pass: http user ftp, pass: ftp user dany, pass: dany user suse, pass: suse user oracle, pass: oracle user tomcat, pass: tomcat user backup, pass: backup user id, pass: id user sgi, pass: sgi user postgres, pass: postgres user flowers, pass: flowers user internet, pass: internet user linux, pass: linux user nokia, pass: nokia user bash, pass: bash user mysql, pass: mysql user webmaster, pass: webmaster ** Scan 2 (user, password combinations): These passwors look very strange... Does anyone will ever use a password of root1234567890? :)You wouldn't never use passwords like this, but there a many stupid people outside they use passwords like this.user root, pass: root12 user root, pass: root123 user root, pass: root1234 user root, pass: root12345 user root, pass: root123456 user root, pass: root1234567 user root, pass: root12345678 user root, pass: root123456789 user root, pass: root1234567890 user admin, pass: admin user admin, pass: admin1 user admin, pass: admin12 user admin, pass: admin123 user admin, pass: admin1234 user admin, pass: admin12345 user admin, pass: admin123456 user admin, pass: admin1234567 user admin, pass: admin12345678 user admin, pass: admin123456789 user admin, pass: admin1234567890 Thanks,Philipp
_______________________________________________________ Yahoo! doce lar. Faça do Yahoo! sua homepage. http://br.yahoo.com/homepageset.html
Current thread:
- Interesting information about SSH scans Daniel Cid (Mar 08)
- RE: Interesting information about SSH scans L. Walker (Mar 08)
- Re: Interesting information about SSH scans Jørn Skifter Andersen (Mar 09)
- Re: Interesting information about SSH scans Philipp Frik (Mar 09)
- Re: Interesting information about SSH scans Daniel Cid (Mar 09)