full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Looking at SSH scans p

Re: [Full-disclosure] Looking at SSH scans passwords (honeypot analysis)

From: Elliot Fernandes <elliotfernandes_at_nospam>
Date: Thu Jan 14 2010 - 22:55:17 GMT
To: dd@sucuri.net, full-disclosure@lists.grok.org.uk


What I can say is that, the person who was trying to access your honeypot was using a wordlist, albeit of bad quality because the wordlist contains a large degree of statistical randomness. For the most of us, passwords consist of dictionary words, so a good wordlist would contain that and permutations of it, not just gibberish. By the way, I've scouraged the internet for wordlists and I've seen entries with !@#$%^&*( , !@#$% , !@#$ , !@# and the others you've included.

  • On Thu, 1/14/10, dd@sucuri.net <dd@sucuri.net> wrote:

> From: dd@sucuri.net <dd@sucuri.net>
> Subject: [Full-disclosure] Looking at SSH scans passwords (honeypot analysis)
> To: full-disclosure@lists.grok.org.uk
> Date: Thursday, January 14, 2010, 10:49 PM
> I just wrote a small analysis of the
> SSH scans against our honeypots and one
> thing that intrigued me are some of the passwords used in
> the scans.
>
> You can see the article here:
> http://blog.sucuri.net/2010/01/honeypot-analysis-looking-at-ssh-scans.html
>
> But what I am intrigued about are these passwords (bottom
> of the
> article). Some are very complex
> and unique enough that I would guess they are used as
> backdoors or
> common access across
> somewhere... Anyone have ideas or know where they are
> used?
>
> # USER, PASS
> 5 software, cvsroot
> 5 soft123, sourceforge
> 5 rosymdelfin, conautoveracruz
> 1 root, tiganilaflorinteleorman
> 1 belltrix, spaf@r?_ene59p9e9rewr*katr
> 1 tiganilaflorinteleorman, root
> 1 morrigan, siamouziesw7unla70lafrl3t0l3frle4lu
> 1 sadmin, &thecentercannothold&
> 1 saddleman357, safe
> 1 sachin, f9uthlavIaPhlawroEXi
> 1 admin, b#5rum$ph!r!Keyufawre?a3r6
> 1 miquelfi, B|*Nsq|TO$~b
> 1 root, an0th3rd@y
> 1 admin, 63375312012a
> 1 root, zEfrephaq5qAnedufrethekuW
> 1 root, z1x2c3v4b5n6
> 1 root, xsw21qaz
> 1 root, wiu2ludrlamoatiuTriu
> 1 root, teiubescdartunumaiubestiasacahaidesaterminam
> 1 root, siamouziesw7UNla70lafrl3t0l3frlE4lU
> 1 root, rough46road15
> 1 root, fiatmx1q2w3e
> 1 root, empire12
> 1 root, efKO1$4?
> 1 root, eempire99
> 1 root, d3lt4f0rc3
> 1 root, celes3cat
> 1 root, bleCroujouwLUswOEdrlAfo6w
> 1 root, bUspamaxegEGuyU52PEt6estU
> 1 root, an0th3rd@y
> 1 root, admin321321
> 1 root, admin1
> 1 root, admin
> 1 root, abcd1234
> 1 root, a1s2d3f4g5h6
> 1 root, WrIaRoeThIespOeh3AwriufLetiu7Tlu11u
> 1 root, QT3CUCCj
> 1 root, Pr99*35a!ra-EwruvU3E@rAtUk
> 1 root, N6a4t4u8OEwiaW8i7HLaqLaki
> 1 root, Liteon81
> 1 root, B_$Aj3y3#UCraveVE5e23er@P4
> 1 root, BP5FbGRr
> 1 root, 63375312012a
> 1 root, 1z2x3c4v5b6n
> 1 root, 1qaz2wsx
> 1 root, 1q2w3e4r5t6y
> 1 root, 1q2w3e4r5t
> 1 root, 1q2w3e4r
> 1 root, 1a2s3d4f5g6hy
> 1 root, +#SGU9&rbf-#
> 1 root, !@#$%^&*(
> 1 root, !@#$%
> 1 root, !@#$
> 1 root, !@#
> 1 root, +#sgu9&rbf-#
> 1 root, )(*&^%$#@!
> 1 root, &thecentercannothold&
> 1 root, %5%7%4%5%1%4%8%7
> 1 news, $changeme$
> 1 $ passwd
> 1 root, !@#$%^&*()
> 1 q16060502141279, q16060502141279
> 1 pr99*35a!ra-ewruvu3e@ratuk, admin
> 1 n6a4t4u8oewiaw8i7hlaqlaki, root
> 1 admin, miemleh9esplawriuthiewias
> 1 admin, J34a47nu
> 1 zefrephaq5qanedufrethekuw, sadmin
> 1 zander, zechsmerquise88
> 1 root, zaxscd13524
> 1 zander, zechsmerquise88
> 1 yxwvutseqponmlkjihgfedcba, root
> 1 yuneneli, z11060510412854
> 1 yourdotw, ip46262
> 1 xgridagent, xgridcontroller
> 1 xj050i7bfa, root
> 1 wriaroethiespoeh3awriufletiu7tlu11u, kjetter
> 1 root, wolfiz0r@
> 1 admin, wolfiz0r@
> 1 root, wiu2ludrlamoatiutriu
> 1 ups650cl, lbjlive
> 1 root, unlocker
> 1 u33977059, ubuntu
> 1 u231006, u33977059
> 1 u208417, u231006
> 1 u207114, u208417
> 1 tyson, u207114
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
      



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/