full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Looking at SSH scans passw

[Full-disclosure] Looking at SSH scans passwords (honeypot analysis)

From: <dd_at_nospam>
Date: Thu Jan 14 2010 - 18:49:39 GMT
To: full-disclosure@lists.grok.org.uk


I just wrote a small analysis of the SSH scans against our honeypots and one thing that intrigued me are some of the passwords used in the scans.

You can see the article here:
http://blog.sucuri.net/2010/01/honeypot-analysis-looking-at-ssh-scans.html

But what I am intrigued about are these passwords (bottom of the article). Some are very complex
and unique enough that I would guess they are used as backdoors or common access across
somewhere... Anyone have ideas or know where they are used?

# USER, PASS
5 software, cvsroot
5 soft123, sourceforge
5 rosymdelfin, conautoveracruz
1 root, tiganilaflorinteleorman
1 belltrix, spaf@r?_ene59p9e9rewr*katr
1 tiganilaflorinteleorman, root
1 morrigan, siamouziesw7unla70lafrl3t0l3frle4lu 1 sadmin, &thecentercannothold&
1 saddleman357, safe
1 sachin, f9uthlavIaPhlawroEXi
1 admin, b#5rum$ph!r!Keyufawre?a3r6
1 miquelfi, B|*Nsq|TO$~b
1 root, an0th3rd@y
1 admin, 63375312012a 1 root, zEfrephaq5qAnedufrethekuW 1 root, z1x2c3v4b5n6 1 root, xsw21qaz 1 root, wiu2ludrlamoatiuTriu 1 root, teiubescdartunumaiubestiasacahaidesaterminam 1 root, siamouziesw7UNla70lafrl3t0l3frlE4lU 1 root, rough46road15 1 root, fiatmx1q2w3e 1 root, empire12 1 root, efKO1$4? 1 root, eempire99 1 root, d3lt4f0rc3 1 root, celes3cat 1 root, bleCroujouwLUswOEdrlAfo6w 1 root, bUspamaxegEGuyU52PEt6estU 1 root, an0th3rd@y 1 root, admin321321 1 root, admin1 1 root, admin 1 root, abcd1234 1 root, a1s2d3f4g5h6 1 root, WrIaRoeThIespOeh3AwriufLetiu7Tlu11u 1 root, QT3CUCCj 1 root, Pr99*35a!ra-EwruvU3E@rAtUk 1 root, N6a4t4u8OEwiaW8i7HLaqLaki 1 root, Liteon81 1 root, B_$Aj3y3#UCraveVE5e23er@P4 1 root, BP5FbGRr 1 root, 63375312012a 1 root, 1z2x3c4v5b6n 1 root, 1qaz2wsx 1 root, 1q2w3e4r5t6y 1 root, 1q2w3e4r5t 1 root, 1q2w3e4r 1 root, 1a2s3d4f5g6hy 1 root, +#SGU9&rbf-# 1 root, !@#$%^&*( 1 root, !@#$% 1 root, !@#$ 1 root, !@# 1 root, +#sgu9&rbf-# 1 root, )(*&^%$#@! 1 root, &thecentercannothold& 1 root, %5%7%4%5%1%4%8%7 1 news, $changeme$
1 $ passwd
1 root, !@#$%^&*()
1 q16060502141279, q16060502141279
1 pr99*35a!ra-ewruvu3e@ratuk, admin
1 n6a4t4u8oewiaw8i7hlaqlaki, root
1 admin, miemleh9esplawriuthiewias
1 admin, J34a47nu
1 zefrephaq5qanedufrethekuw, sadmin
1 zander, zechsmerquise88
1 root, zaxscd13524
1 zander, zechsmerquise88
1 yxwvutseqponmlkjihgfedcba, root
1 yuneneli, z11060510412854
1 yourdotw, ip46262
1 xgridagent, xgridcontroller
1 xj050i7bfa, root
1 wriaroethiespoeh3awriufletiu7tlu11u, kjetter 1 root, wolfiz0r@
1 admin, wolfiz0r@
1 root, wiu2ludrlamoatiutriu
1 ups650cl, lbjlive
1 root, unlocker
1 u33977059, ubuntu 1 u231006, u33977059 1 u208417, u231006 1 u207114, u208417
1 tyson, u207114



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/