RE: Interesting information about SSH scans

["L. Walker" <lwalker () magi net au>]

Hi Daniel,

In regards to the strange behaviour you have noted below...  I've noticed a
lot of clients utilising common english names, and applying 12 or 21 to the
end of the password, so I wouldn't be surprised that a scanner is trying to
bruteforce these combinations.

Kind Regards,
Luke Walker

-----Original Message-----
From: Daniel Cid [mailto:danielcid () yahoo com br] 
Sent: Thursday, 9 March 2006 7:54 AM
To: incidents () securityfocus com
Subject: Interesting information about SSH scans

I set up some honeypots and also made a few modifications to the ssh daemon
to print out the passwords these scans were trying to use. I noticed a
reduction in the number of scans, but I still got a few in the last few
days.

Basically I noticed 2 different scans.

** Scan 1 - Attempt many passwords against the root account and a lot of
attempts against common/default accounts (with the password being the same
as the account name). Interesting is that some of the passwords for root
doesn't look very simple and some use keyboard combinations (probably common
too). 
Received scans of this type from 7 different IPS (same passwords, users,
etc).

** Scan 2 - Attempt a lot of strange passwords against the root and admin
account. Look bellow to see why I think they are strange. Looks like the
scanner is broken :) Received scans of this type from 3 different IPS.


*** User, password combinations:

** Scan 1 (user, password combinations):
user root, pass: 1qaz2wsx
user root, pass: 1q2w3e4r5t6y
user root, pass: 1qaz2wsx3edc4rfv
user root, pass: qazwsxedcrfv
user root, pass: webmaster
user root, pass: michael
user root, pass: work
user root, pass: maggie
user root, pass: print
user root, pass: 123456
user root, pass: root1234
user root, pass: 1qaz2wsx3edc
user root, pass: qazwsxedc
user root, pass: qazwsx
user root, pass: internet
user root, pass: mobile
user root, pass: windows
user root, pass: superman
user root, pass: 1q2w3e4r
user root, pass: network
user root, pass: system
user root, pass: administrator
user root, pass: 123qwe
user root, pass: manager
user root, pass: redhat
user root, pass: fedora
user root, pass: okmnji
user root, pass: qwerty
user root, pass: httpd
user root, pass: linux
user root, pass: coder
user root, pass: www
user root, pass: 123123
user root, pass: 1234567890

user james, pass: james
user cvs, pass: cvs
user tony, pass: tony
user bill, pass: bill
user print, pass: print
user maggie, pass: maggie
user info, pass: info
user http, pass: http
user ftp, pass: ftp
user dany, pass: dany
user suse, pass: suse
user oracle, pass: oracle
user tomcat, pass: tomcat
user backup, pass: backup
user id, pass: id
user sgi, pass: sgi
user postgres, pass: postgres
user flowers, pass: flowers
user internet, pass: internet
user linux, pass: linux
user nokia, pass: nokia
user bash, pass: bash
user mysql, pass: mysql
user webmaster, pass: webmaster


** Scan 2 (user, password combinations):
These passwors look very strange... Does anyone will ever use a password of
root1234567890? :)

user root, pass: root12
user root, pass: root123
user root, pass: root1234
user root, pass: root12345
user root, pass: root123456
user root, pass: root1234567
user root, pass: root12345678
user root, pass: root123456789
user root, pass: root1234567890

user admin, pass: admin
user admin, pass: admin1
user admin, pass: admin12
user admin, pass: admin123
user admin, pass: admin1234
user admin, pass: admin12345
user admin, pass: admin123456
user admin, pass: admin1234567
user admin, pass: admin12345678
user admin, pass: admin123456789
user admin, pass: admin1234567890


Thanks,

--
Daniel B. Cid, CISSP
daniel.cid (at) gmail.com
http://www.ossec.net/hids/


                
_______________________________________________________
Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora!
http://br.acesso.yahoo.com