[Dshield] Interesting information about SSH scans

Rik Kershaw-Moore Rik.Kershaw-Moore at avonandsomerset.police.uk
Mon Mar 13 09:15:58 GMT 2006


I was doing a further trawl of the internet and came across this website:

http://www.the-art-of-web.com/system/fail2ban/



 

-----Original Message-----
From: lucy at lucindrea.com [mailto:lucy at lucindrea.com] 
Sent: 08 March 2006 20:18
To: General DShield Discussion List
Cc: list at lists.dshield.org; ossec-list at ossec.net;
incidents at securityfocus.com
Subject: Re: [Dshield] Interesting information about SSH scans


unfortunaly yes , their are servers out their with these passwords (
root123 ).. 99% of the time it's a "test" system or somthing someone is
learning *nix on so they make any old password .. problem is they become
robots themselves and start scanning "real" systems.

for these

> user root, pass: 1qaz2wsx
> user root, pass: 1q2w3e4r5t6y
> user root, pass: 1qaz2wsx3edc

just look at your keyboard .. it's amazing how often a password is cracked
just by counting on the lazyness of end users. any keyboard "pattern" is
easy to figure out .. and words like $3rv3r are cracked just as fast.
this is why i use password generators .. human nature is to find patterns ,
programs dont have this problem.


> I set up some honeypots and also made a few modifications to the ssh 
> daemon to print out the passwords these scans were trying to use. I 
> noticed a reduction in the number of scans, but I still got a few in 
> the last few days.
>
> Basically I noticed 2 different scans.
>
> ** Scan 1 - Attempt many passwords against the root account and a lot 
> of attempts against common/default accounts (with the password being 
> the same as the account name). Interesting is that some of the 
> passwords for root doesn't look very simple and some use keyboard 
> combinations (probably common too).
> Received scans of this type from 7 different IPS (same passwords, 
> users, etc).
>
> ** Scan 2 - Attempt a lot of strange passwords against the root and 
> admin account. Look bellow to see why I think they are strange. Looks 
> like the scanner is broken :) Received scans of this type from 3 
> different IPS.
>
>
> *** User, password combinations:
>
> ** Scan 1 (user, password combinations):
> user root, pass: 1qaz2wsx
> user root, pass: 1q2w3e4r5t6y
> user root, pass: 1qaz2wsx3edc4rfv
> user root, pass: qazwsxedcrfv
> user root, pass: webmaster
> user root, pass: michael
> user root, pass: work
> user root, pass: maggie
> user root, pass: print
> user root, pass: 123456
> user root, pass: root1234
> user root, pass: 1qaz2wsx3edc
> user root, pass: qazwsxedc
> user root, pass: qazwsx
> user root, pass: internet
> user root, pass: mobile
> user root, pass: windows
> user root, pass: superman
> user root, pass: 1q2w3e4r
> user root, pass: network
> user root, pass: system
> user root, pass: administrator
> user root, pass: 123qwe
> user root, pass: manager
> user root, pass: redhat
> user root, pass: fedora
> user root, pass: okmnji
> user root, pass: qwerty
> user root, pass: httpd
> user root, pass: linux
> user root, pass: coder
> user root, pass: www
> user root, pass: 123123
> user root, pass: 1234567890
>
> user james, pass: james
> user cvs, pass: cvs
> user tony, pass: tony
> user bill, pass: bill
> user print, pass: print
> user maggie, pass: maggie
> user info, pass: info
> user http, pass: http
> user ftp, pass: ftp
> user dany, pass: dany
> user suse, pass: suse
> user oracle, pass: oracle
> user tomcat, pass: tomcat
> user backup, pass: backup
> user id, pass: id
> user sgi, pass: sgi
> user postgres, pass: postgres
> user flowers, pass: flowers
> user internet, pass: internet
> user linux, pass: linux
> user nokia, pass: nokia
> user bash, pass: bash
> user mysql, pass: mysql
> user webmaster, pass: webmaster
>
>
> ** Scan 2 (user, password combinations):
> These passwors look very strange... Does anyone will ever use a 
> password of root1234567890? :)
>
> user root, pass: root12
> user root, pass: root123
> user root, pass: root1234
> user root, pass: root12345
> user root, pass: root123456
> user root, pass: root1234567
> user root, pass: root12345678
> user root, pass: root123456789
> user root, pass: root1234567890
>
> user admin, pass: admin
> user admin, pass: admin1
> user admin, pass: admin12
> user admin, pass: admin123
> user admin, pass: admin1234
> user admin, pass: admin12345
> user admin, pass: admin123456
> user admin, pass: admin1234567
> user admin, pass: admin12345678
> user admin, pass: admin123456789
> user admin, pass: admin1234567890
>
>
> Thanks,
>
> --
> Daniel B. Cid, CISSP
> daniel.cid (at) gmail.com
> http://www.ossec.net/hids/
>
>
>
>
> _______________________________________________________
> Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora!
> http://br.acesso.yahoo.com
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org To change your subscription 
> options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>


--
Time to revamp Kindergarten

1. Sharing is ILLEGAL
_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

*******************************************************
Internet e-mail is not to be treated as a secure means 
of communication.  The Avon and Somerset Constabulary 
monitors all internet e-mail activity and content.  
This communication is confidential and intended for the
addressee(s) only.  Unauthorised use or disclosure of 
the content may be unlawful.  Opinions expressed in 
this document may not be official policy.
Thank you for your cooperation.  
(C)Avon and Somerset Constabulary.

http://www.avonandsomerset.police.uk


More information about the list mailing list