Security Incidents mailing list archives
RE: Interesting information about SSH scans
From: "L. Walker" <lwalker () magi net au>
Date: Thu, 9 Mar 2006 12:11:09 +1100
Hi Daniel, In regards to the strange behaviour you have noted below... I've noticed a lot of clients utilising common english names, and applying 12 or 21 to the end of the password, so I wouldn't be surprised that a scanner is trying to bruteforce these combinations. Kind Regards, Luke Walker -----Original Message----- From: Daniel Cid [mailto:danielcid () yahoo com br] Sent: Thursday, 9 March 2006 7:54 AM To: incidents () securityfocus com Subject: Interesting information about SSH scans I set up some honeypots and also made a few modifications to the ssh daemon to print out the passwords these scans were trying to use. I noticed a reduction in the number of scans, but I still got a few in the last few days. Basically I noticed 2 different scans. ** Scan 1 - Attempt many passwords against the root account and a lot of attempts against common/default accounts (with the password being the same as the account name). Interesting is that some of the passwords for root doesn't look very simple and some use keyboard combinations (probably common too). Received scans of this type from 7 different IPS (same passwords, users, etc). ** Scan 2 - Attempt a lot of strange passwords against the root and admin account. Look bellow to see why I think they are strange. Looks like the scanner is broken :) Received scans of this type from 3 different IPS. *** User, password combinations: ** Scan 1 (user, password combinations): user root, pass: 1qaz2wsx user root, pass: 1q2w3e4r5t6y user root, pass: 1qaz2wsx3edc4rfv user root, pass: qazwsxedcrfv user root, pass: webmaster user root, pass: michael user root, pass: work user root, pass: maggie user root, pass: print user root, pass: 123456 user root, pass: root1234 user root, pass: 1qaz2wsx3edc user root, pass: qazwsxedc user root, pass: qazwsx user root, pass: internet user root, pass: mobile user root, pass: windows user root, pass: superman user root, pass: 1q2w3e4r user root, pass: network user root, pass: system user root, pass: administrator user root, pass: 123qwe user root, pass: manager user root, pass: redhat user root, pass: fedora user root, pass: okmnji user root, pass: qwerty user root, pass: httpd user root, pass: linux user root, pass: coder user root, pass: www user root, pass: 123123 user root, pass: 1234567890 user james, pass: james user cvs, pass: cvs user tony, pass: tony user bill, pass: bill user print, pass: print user maggie, pass: maggie user info, pass: info user http, pass: http user ftp, pass: ftp user dany, pass: dany user suse, pass: suse user oracle, pass: oracle user tomcat, pass: tomcat user backup, pass: backup user id, pass: id user sgi, pass: sgi user postgres, pass: postgres user flowers, pass: flowers user internet, pass: internet user linux, pass: linux user nokia, pass: nokia user bash, pass: bash user mysql, pass: mysql user webmaster, pass: webmaster ** Scan 2 (user, password combinations): These passwors look very strange... Does anyone will ever use a password of root1234567890? :) user root, pass: root12 user root, pass: root123 user root, pass: root1234 user root, pass: root12345 user root, pass: root123456 user root, pass: root1234567 user root, pass: root12345678 user root, pass: root123456789 user root, pass: root1234567890 user admin, pass: admin user admin, pass: admin1 user admin, pass: admin12 user admin, pass: admin123 user admin, pass: admin1234 user admin, pass: admin12345 user admin, pass: admin123456 user admin, pass: admin1234567 user admin, pass: admin12345678 user admin, pass: admin123456789 user admin, pass: admin1234567890 Thanks, -- Daniel B. Cid, CISSP daniel.cid (at) gmail.com http://www.ossec.net/hids/ _______________________________________________________ Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com
Current thread:
- Interesting information about SSH scans Daniel Cid (Mar 08)
- RE: Interesting information about SSH scans L. Walker (Mar 08)
- Re: Interesting information about SSH scans Jørn Skifter Andersen (Mar 09)
- Re: Interesting information about SSH scans Philipp Frik (Mar 09)
- Re: Interesting information about SSH scans Daniel Cid (Mar 09)