Daniel Cid schrieb: >I set up some honeypots and also made a few >modifications to the ssh daemon to print out the >passwords these scans were trying to use. I noticed a >reduction in the number of scans, but I still got a >few in the last few days. > > Is it possible to get your modified Vesion?
>Basically I noticed 2 different scans. > >** Scan 1 - Attempt many passwords against the root >account and a lot of attempts against common/default >accounts (with the password being the same as the >account name). Interesting is that some of the >passwords for root doesn't look very simple and some >use keyboard combinations (probably common too). >Received scans of this type from 7 different IPS (same >passwords, users, etc). > >** Scan 2 - Attempt a lot of strange passwords against >the root and admin account. Look bellow to see why I >think they are strange. Looks like the scanner is >broken :) >Received scans of this type from 3 different IPS. > > > At the first look they seem to be safe ;), but if you look at the password an then on your keyboard you see that this is only a playing with the first keys. They aren't simple like "asdf" but they are simple ;) How different are the IPs ? Came it from the same ISP? Or completly different ISPs? Is it possible that the attacks came from hacked server out there? >*** User, password combinations: > >** Scan 1 (user, password combinations): >user root, pass: 1qaz2wsx >user root, pass: 1q2w3e4r5t6y >user root, pass: 1qaz2wsx3edc4rfv >user root, pass: qazwsxedcrfv >user root, pass: webmaster >user root, pass: michael >user root, pass: work >user root, pass: maggie >user root, pass: print >user root, pass: 123456 >user root, pass: root1234 >user root, pass: 1qaz2wsx3edc >user root, pass: qazwsxedc >user root, pass: qazwsx >user root, pass: internet >user root, pass: mobile >user root, pass: windows >user root, pass: superman >user root, pass: 1q2w3e4r >user root, pass: network >user root, pass: system >user root, pass: administrator >user root, pass: 123qwe >user root, pass: manager >user root, pass: redhat >user root, pass: fedora >user root, pass: okmnji >user root, pass: qwerty >user root, pass: httpd >user root, pass: linux >user root, pass: coder >user root, pass: www >user root, pass: 123123 >user root, pass: 1234567890 > >user james, pass: james >user cvs, pass: cvs >user tony, pass: tony >user bill, pass: bill >user print, pass: print >user maggie, pass: maggie >user info, pass: info >user http, pass: http >user ftp, pass: ftp >user dany, pass: dany >user suse, pass: suse >user oracle, pass: oracle >user tomcat, pass: tomcat >user backup, pass: backup >user id, pass: id >user sgi, pass: sgi >user postgres, pass: postgres >user flowers, pass: flowers >user internet, pass: internet >user linux, pass: linux >user nokia, pass: nokia >user bash, pass: bash >user mysql, pass: mysql >user webmaster, pass: webmaster > > >** Scan 2 (user, password combinations): >These passwors look very strange... Does anyone >will ever use a password of root1234567890? :) > > > You wouldn't never use passwords like this, but there a many stupid people outside they use passwords like this. >user root, pass: root12 >user root, pass: root123 >user root, pass: root1234 >user root, pass: root12345 >user root, pass: root123456 >user root, pass: root1234567 >user root, pass: root12345678 >user root, pass: root123456789 >user root, pass: root1234567890 > >user admin, pass: admin >user admin, pass: admin1 >user admin, pass: admin12 >user admin, pass: admin123 >user admin, pass: admin1234 >user admin, pass: admin12345 >user admin, pass: admin123456 >user admin, pass: admin1234567 >user admin, pass: admin12345678 >user admin, pass: admin123456789 >user admin, pass: admin1234567890 > > >Thanks, > > Philipp
signature.asc
Description: OpenPGP digital signature
