Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Looking at SSH scans passwords (honeypot analysis)

From: Elliot Fernandes <elliotfernandes () yahoo com>
Date: Thu, 14 Jan 2010 14:55:17 -0800 (PST)
What I can say is that, the person who was trying to access your honeypot was using a wordlist, albeit of bad quality 
because the wordlist contains a large degree of statistical randomness. For the most of us, passwords consist of 
dictionary words, so a good wordlist would contain that and permutations of it, not just gibberish. By the way, I've 
scouraged the internet for wordlists and I've seen entries with !@#$%^&*( , !@#$% , !@#$ , !@# and the others you've 
included.

--- On Thu, 1/14/10, dd () sucuri net <dd () sucuri net> wrote:


From: dd () sucuri net <dd () sucuri net>
Subject: [Full-disclosure] Looking at SSH scans passwords (honeypot analysis)
To: full-disclosure () lists grok org uk
Date: Thursday, January 14, 2010, 10:49 PM
I just wrote a small analysis of the
SSH scans against our honeypots and one
thing that intrigued me are some of the passwords used in
the scans.

You can see the article here:
http://blog.sucuri.net/2010/01/honeypot-analysis-looking-at-ssh-scans.html

But what I am intrigued about are these passwords (bottom
of the
article). Some are very complex
and unique enough that I would guess they are used as
backdoors or
common access across
somewhere... Anyone have ideas or know where they are
used?

# USER, PASS
5 software, cvsroot
5 soft123, sourceforge
5 rosymdelfin, conautoveracruz
1 root, tiganilaflorinteleorman
1 belltrix, spaf@r?_ene59p9e9rewr*katr
1 tiganilaflorinteleorman, root
1 morrigan, siamouziesw7unla70lafrl3t0l3frle4lu
1 sadmin, &thecentercannothold&
1 saddleman357, safe
1 sachin, f9uthlavIaPhlawroEXi
1 admin, b#5rum$ph!r!Keyufawre?a3r6
1 miquelfi, B|*Nsq|TO$~b
1 root, an0th3rd@y
1 admin, 63375312012a
1 root, zEfrephaq5qAnedufrethekuW
1 root, z1x2c3v4b5n6
1 root, xsw21qaz
1 root, wiu2ludrlamoatiuTriu
1 root, teiubescdartunumaiubestiasacahaidesaterminam
1 root, siamouziesw7UNla70lafrl3t0l3frlE4lU
1 root, rough46road15
1 root, fiatmx1q2w3e
1 root, empire12
1 root, efKO1$4?
1 root, eempire99
1 root, d3lt4f0rc3
1 root, celes3cat
1 root, bleCroujouwLUswOEdrlAfo6w
1 root, bUspamaxegEGuyU52PEt6estU
1 root, an0th3rd@y
1 root, admin321321
1 root, admin1
1 root, admin
1 root, abcd1234
1 root, a1s2d3f4g5h6
1 root, WrIaRoeThIespOeh3AwriufLetiu7Tlu11u
1 root, QT3CUCCj
1 root, Pr99*35a!ra-EwruvU3E@rAtUk
1 root, N6a4t4u8OEwiaW8i7HLaqLaki
1 root, Liteon81
1 root, B_$Aj3y3#UCraveVE5e23er@P4
1 root, BP5FbGRr
1 root, 63375312012a
1 root, 1z2x3c4v5b6n
1 root, 1qaz2wsx
1 root, 1q2w3e4r5t6y
1 root, 1q2w3e4r5t
1 root, 1q2w3e4r
1 root, 1a2s3d4f5g6hy
1 root, +#SGU9&rbf-#
1 root, !@#$%^&*(
1 root, !@#$%
1 root, !@#$
1 root, !@#
1 root, +#sgu9&rbf-#
1 root, )(*&^%$#@!
1 root, &thecentercannothold&
1 root, %5%7%4%5%1%4%8%7
1 news, $changeme$
1 $ passwd
1 root, !@#$%^&*()
1 q16060502141279, q16060502141279
1 pr99*35a!ra-ewruvu3e@ratuk, admin
1 n6a4t4u8oewiaw8i7hlaqlaki, root
1 admin, miemleh9esplawriuthiewias
1 admin, J34a47nu
1 zefrephaq5qanedufrethekuw, sadmin
1 zander, zechsmerquise88
1 root, zaxscd13524
1 zander, zechsmerquise88
1 yxwvutseqponmlkjihgfedcba, root
1 yuneneli, z11060510412854
1 yourdotw, ip46262
1 xgridagent, xgridcontroller
1 xj050i7bfa, root
1 wriaroethiespoeh3awriufletiu7tlu11u, kjetter
1 root, wolfiz0r@
1 admin, wolfiz0r@
1 root, wiu2ludrlamoatiutriu
1 ups650cl, lbjlive
1 root, unlocker
1 u33977059, ubuntu
1 u231006, u33977059
1 u208417, u231006
1 u207114, u208417
1 tyson, u207114

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




      

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: