Hi Philipp (and everyone else),
I'm responding here to everyone who contacted me.
1- The password that I found strange were
"root012345678" or "root01234567890", not the ones
that are based on the keyboard layout. However, I do
have to agreee that are probably a lot of systems
using these bad passwords.
2- My modified version is very simple that I won't
send out a diff. I basically just downloaded the last
version from openssh.org and added these two lines on
auth-passwd.c (on line 80 of the file -- just after
the beginning of the auth_password function):
if(strlen(password) > 1))
error("user: %s, pass: %s", authctxt->user, password);
3- Regarding the location of the scans, they look very
disperse (my box is in the US). I got two from Brazil,
one from the UK, one from NL, one from Japan, two from
India(from the same ISP), 2 from the USA and 1 from
Canada...
Thanks,
--
Daniel B. Cid, CISSP
daniel.cid (at) gmail.com
http://www.ossec.net/hids/
--- Philipp Frik <[EMAIL PROTECTED]>
escreveu:
> Daniel Cid schrieb:
>
> >I set up some honeypots and also made a few
> >modifications to the ssh daemon to print out the
> >passwords these scans were trying to use. I noticed
> a
> >reduction in the number of scans, but I still got a
> >few in the last few days.
> >
> >
> Is it possible to get your modified Vesion?
>
> >Basically I noticed 2 different scans.
> >
> >** Scan 1 - Attempt many passwords against the root
> >account and a lot of attempts against
> common/default
> >accounts (with the password being the same as the
> >account name). Interesting is that some of the
> >passwords for root doesn't look very simple and
> some
> >use keyboard combinations (probably common too).
> >Received scans of this type from 7 different IPS
> (same
> >passwords, users, etc).
> >
> >** Scan 2 - Attempt a lot of strange passwords
> against
> >the root and admin account. Look bellow to see why
> I
> >think they are strange. Looks like the scanner is
> >broken :)
> >Received scans of this type from 3 different IPS.
> >
> >
> >
> At the first look they seem to be safe ;), but if
> you look at the
> password an then on your keyboard you see that this
> is only a playing
> with the first keys. They aren't simple like "asdf"
> but they are simple ;)
>
> How different are the IPs ? Came it from the same
> ISP? Or completly
> different ISPs? Is it possible that the attacks came
> from hacked server
> out there?
>
> >*** User, password combinations:
> >
> >** Scan 1 (user, password combinations):
> >user root, pass: 1qaz2wsx
> >user root, pass: 1q2w3e4r5t6y
> >user root, pass: 1qaz2wsx3edc4rfv
> >user root, pass: qazwsxedcrfv
> >user root, pass: webmaster
> >user root, pass: michael
> >user root, pass: work
> >user root, pass: maggie
> >user root, pass: print
> >user root, pass: 123456
> >user root, pass: root1234
> >user root, pass: 1qaz2wsx3edc
> >user root, pass: qazwsxedc
> >user root, pass: qazwsx
> >user root, pass: internet
> >user root, pass: mobile
> >user root, pass: windows
> >user root, pass: superman
> >user root, pass: 1q2w3e4r
> >user root, pass: network
> >user root, pass: system
> >user root, pass: administrator
> >user root, pass: 123qwe
> >user root, pass: manager
> >user root, pass: redhat
> >user root, pass: fedora
> >user root, pass: okmnji
> >user root, pass: qwerty
> >user root, pass: httpd
> >user root, pass: linux
> >user root, pass: coder
> >user root, pass: www
> >user root, pass: 123123
> >user root, pass: 1234567890
> >
> >user james, pass: james
> >user cvs, pass: cvs
> >user tony, pass: tony
> >user bill, pass: bill
> >user print, pass: print
> >user maggie, pass: maggie
> >user info, pass: info
> >user http, pass: http
> >user ftp, pass: ftp
> >user dany, pass: dany
> >user suse, pass: suse
> >user oracle, pass: oracle
> >user tomcat, pass: tomcat
> >user backup, pass: backup
> >user id, pass: id
> >user sgi, pass: sgi
> >user postgres, pass: postgres
> >user flowers, pass: flowers
> >user internet, pass: internet
> >user linux, pass: linux
> >user nokia, pass: nokia
> >user bash, pass: bash
> >user mysql, pass: mysql
> >user webmaster, pass: webmaster
> >
> >
> >** Scan 2 (user, password combinations):
> >These passwors look very strange... Does anyone
> >will ever use a password of root1234567890? :)
> >
> >
> >
> You wouldn't never use passwords like this, but
> there a many stupid
> people outside they use passwords like this.
>
> >user root, pass: root12
> >user root, pass: root123
> >user root, pass: root1234
> >user root, pass: root12345
> >user root, pass: root123456
> >user root, pass: root1234567
> >user root, pass: root12345678
> >user root, pass: root123456789
> >user root, pass: root1234567890
> >
> >user admin, pass: admin
> >user admin, pass: admin1
> >user admin, pass: admin12
> >user admin, pass: admin123
> >user admin, pass: admin1234
> >user admin, pass: admin12345
> >user admin, pass: admin123456
> >user admin, pass: admin1234567
> >user admin, pass: admin12345678
> >user admin, pass: admin123456789
> >user admin, pass: admin1234567890
> >
> >
> >Thanks,
> >
> >
>
> Philipp
>
_______________________________________________________
Yahoo! doce lar. Faça do Yahoo! sua homepage.
http://br.yahoo.com/homepageset.html
