Honeypot analysis – Looking at SSH scans

An integral part of the Sucuri project is to research and monitor current attacks as a way to improve our defense techniques. To achieve that, we have been running a few Honeypots for almost a year and collecting data from the attacks used and learning from them.

After a year, I think we are ready to start sharing the information we have learned…

The first step was to create a page with information about the systems involved on web attacks. We also have two blacklists updated daily, the first one is composed of the domains that are hosting the malware/php/perl scripts, while the second blacklist is composed of the IP addresses that are actively scanning our honeypots. You can check them out, plus the tools used at Blacklist and Research based on web attacks.

Now, the second step is to write about the attacks we are seeing to help educate others…

Looking at SSH scans

All our honeypots have a modified SSH server running where we collect every connection attempt, user name and password used and everything typed if the attacker gets access via SSH. During the course of 1 year, we recorded more than 1,600 different SSH scans to our systems. The data bellow is only for the last few months and the first number you see is in how many different scans it was logged.

TOP 50 user/password combination

# USER, PASS
16 oracle, oracle
13 root, root
12 root, abc123
12 root, 123456
11 tester, test
10 uploader, uploader
10 test123, spam
10 qwerty, testuser
10 qazwsxedc, tester
10 password, test1
10 password, john
10 password, cstrike
10 123456, testuser
10 123456, test2
10 123456, raqbackup
10 123456, gamer
10 123456, cvsadm
10 123456, calendar
10 123456, bill
9 root, 123qwe
9 mike, mike
9 agata, agata
8 test, test123
8 root, qwerty
8 marketing, marketing
8 johan, johan
8 joan, joan
8 ftp, ftp123
8 ftp, ftp
8 carla, carla
8 bruno, bruno
8 admin, admin
8 123, user
7 test, test
7 tech, tech
7 root, password
7 ronaldo, ronaldo
7 raimundo, raimundo
7 nick, nick
7 max, max
7 library, library
7 jeff, jeff
7 internet, internet
7 hans, hans
7 grace, grace
7 ftp, ftpuser
7 frank, frank
7 francisco, francisco
7 francis, francis

It is interesting to note that in the first column, we have the user name and we see many entries for 123456 with the password of testuser or bill. My guess? Someone messed up the password lists and inverted the order… Anyone have ideas?

Top 50 User names used

# USER
241 root
221 password
100 admin
87 test
87 qwerty
72 www
68 123
67 000000
66 111111
65 1234567
63 asdfgh
59 testing
59 test123
58 abc123
53 pass123
52 qazwsx
50 tester
48 server
47 abcdef
46 testing123
46 testing1
46 qazwsxedc
45 zxcvbnm
45 zxcvbn
45 testtest
40 oracle
39 ftp
33 test1
32 passwd
31 tester123
31 tester1
31 pass
30 pgsql
29 operator
28 dan
27 administrator
26 master
26 bin
25 oper
24 nobody
22 backup
21 postgres
21 mail
21 daemon
21 87654321
21 654321
20 office
19 test2
18 ts
17 mike
17 guest
16 monica

TOP 50 Passwords used

# PASS
1427 root
346 test
305 123456
264 testuser
259 tester
242 test123
241 testing
240 test1
236 test2
230 test4
230 test3
113 12345
106 admin
75 user
69 nobody
69 123
65 1234
63 nick
59 webadmin
50 webmaster
49 oracle
48 web
46 password
43 news
42 info
40 sysadm
37 mysql
36 eqidemo
36 cvsadm
34 spam
31 administrator
30 uploader
28 lp
27 system
27 john
27 jack
27 fred
27 bill
26 visitor
26 daily
26 cstrike
25 techsupport
25 sql
25 smtp
23 qwerty
23 michael
22 weblogic
22 webalizer
22 toor
22 sys

Complex password logged

Most of the scan attempts were using very common passwords, but some of them had really complex passwords that I can only imagine that are used as backdoors or as default passwords for some common systems. Anyone have clues? I “googled” and didn’t find anything..

# USER, PASS
5 software, cvsroot
5 soft123, sourceforge
5 rosymdelfin, conautoveracruz
1 root, tiganilaflorinteleorman
1 belltrix, spaf@r?_ene59p9e9rewr*katr
1 tiganilaflorinteleorman, root
1 morrigan, siamouziesw7unla70lafrl3t0l3frle4lu
1 sadmin, &thecentercannothold;&
1 saddleman357, safe
1 sachin, f9uthlavIaPhlawroEXi
1 admin, b#5rum$ph!r!Keyufawre?a3r6
1 miquelfi, B|*Nsq|TO$~b
1 root, an0th3rd@y
1 admin, 63375312012a
1 root, zEfrephaq5qAnedufrethekuW
1 root, z1x2c3v4b5n6
1 root, xsw21qaz
1 root, wiu2ludrlamoatiuTriu
1 root, teiubescdartunumaiubestiasacahaidesaterminam
1 root, siamouziesw7UNla70lafrl3t0l3frlE4lU
1 root, rough46road15
1 root, fiatmx1q2w3e
1 root, empire12
1 root, efKO1$4?
1 root, eempire99
1 root, discovery
1 root, dave
1 root, d3lt4f0rc3
1 root, celes3cat
1 root, bleCroujouwLUswOEdrlAfo6w
1 root, bUspamaxegEGuyU52PEt6estU
1 root, asdfghjkl
1 root, apple
1 root, apache
1 root, an0th3rd@y
1 root, admin321321
1 root, admin1
1 root, admin
1 root, abcd1234
1 root, a1s2d3f4g5h6
1 root, WrIaRoeThIespOeh3AwriufLetiu7Tlu11u
1 root, QT3CUCCj
1 root, Pr99*35a!ra-EwruvU3E@rAtUk
1 root, N6a4t4u8OEwiaW8i7HLaqLaki
1 root, Liteon81
1 root, B_$Aj3y3#UCraveVE5e23er@P4
1 root, BP5FbGRr
1 root, 63375312012a
1 root, 1z2x3c4v5b6n
1 root, 1qaz2wsx
1 root, 1q2w3e4r5t6y
1 root, 1q2w3e4r5t
1 root, 1q2w3e4r
1 root, 1a2s3d4f5g6hy
1 root, +#SGU9&rbf-;#
1 root, !@#$%^&*(
1 root, !@#$%
1 root, !@#$
1 root, !@#
1 root, +#sgu9&rbf-;#
1 root, )(*&^%$#@!
1 root, &thecentercannothold;&
1 root, %5%7%4%5%1%4%8%7
1 oracle, $changeme$
1 nobody, $changeme$
1 news, $changeme$
1 $ passwd
1 root, !@#$%^&*()
1 root, !!!
1 qeqawrexudaducu7eyuswacez, root
1 qazwsxeds, root
1 qazwsxedc, root
1 qazwsx, user
1 q16060502141279, q16060502141279
1 pr99*35a!ra-ewruvu3e@ratuk, admin
1 n6a4t4u8oewiaw8i7hlaqlaki, root
1 admin, miemleh9esplawriuthiewias
1 admin, J34a47nu
1 zefrephaq5qanedufrethekuw, sadmin
1 zander, zechsmerquise88
1 root, zaxscd13524
1 zander, zechsmerquise88
1 yxwvutseqponmlkjihgfedcba, root
1 yuneneli, z11060510412854
1 yourdotw, ip46262
1 xgridagent, xgridcontroller
1 xj050i7bfa, root
1 wriaroethiespoeh3awriufletiu7tlu11u, kjetter
1 root, wolfiz0r@
1 admin, wolfiz0r@
1 wmassma, wolf
1 wlp, wmassma
1 wlan, wlp
1 wkoweg, wlan
1 root, wiu2ludrlamoatiutriu
1 ups650cl, lbjlive
1 root, unlocker
1 u33977059, ubuntu
1 u231006, u33977059
1 u208417, u231006
1 u207114, u208417
1 tyson, u207114
1 ska, skandinavia
1 sjfconsulting, ska
1 sjaekel, sjfconsulting

That’s it.. If you want me to run more queries or generate more stats, let me know and I will update this post.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • http://jay-zeng.com Jay

    Interesting breakdown, reminded me how twitter detects weak password by loading a dictionary of weak password with assigned strength.

    Can you also be detail about what "malware/php/perl scripts" you run and the platform environment? This will be helpful to sort out some demographic info regarding the attackers.

  • http://www.blogger.com/profile/01575450825485782393 NTulip

    Ha! I especially love this complex password: teiubescdartunumaiubestiasacahaidesaterminam

    Romanian for: "I love you but you do not love me So let's end it"

  • Anonymous

    Some of the complex ones definitely don't appear to have a pattern, but others do:

    !@#$%^&*() is 1 through 0 on the keyboard while holding the shift key.

    )(*&^%$#@! is the reverse of that above.

    1q2w3e4r5t6y is simply a number and the key below it.

    And so on..

  • http://diablohorn.wordpress.com DiabloHorn

    A permanent stats overview would be nice I think. Seems like the most complex ones have been harvested by just spidering public information. For example googling one of the passwords you listed, the following website is encountered:

    http://antispam.andreotti.nl/spamlog200910.txt

    which also contains difficult(long) passwords like this one for example:

    #mafiavafute197532@%!?*

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Jay: Most of the attacks I am seeing are against Linux boxes, but we have some windows-based too. Look at the blacklist link to see all the tools.

    NTulip: lol, thats very funny…

  • http://www.blogger.com/profile/11541879660002022816 terraformer

    [quote]Most of the scan attempts were using very common passwords, but some of them had really complex passwords that I can only imagine that are used as backdoors or as default passwords for some common systems. Anyone have clues? I "googled" and didn't find anything..[/quote]

    I would say that a lot of those passwords are l33t'ish and are probably passwords in other malware. Some have obvious patterns.