lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <770620.54531.qm@web30903.mail.mud.yahoo.com>
Date: Thu, 14 Jan 2010 14:55:17 -0800 (PST)
From: Elliot Fernandes <elliotfernandes@...oo.com>
To: dd@...uri.net, full-disclosure@...ts.grok.org.uk
Subject: Re: Looking at SSH scans passwords (honeypot
	analysis)

What I can say is that, the person who was trying to access your honeypot was using a wordlist, albeit of bad quality because the wordlist contains a large degree of statistical randomness. For the most of us, passwords consist of dictionary words, so a good wordlist would contain that and permutations of it, not just gibberish. By the way, I've scouraged the internet for wordlists and I've seen entries with !@...^&*( , !@#$% , !@#$ , !@# and the others you've included.

--- On Thu, 1/14/10, dd@...uri.net <dd@...uri.net> wrote:

> From: dd@...uri.net <dd@...uri.net>
> Subject: [Full-disclosure] Looking at SSH scans passwords (honeypot analysis)
> To: full-disclosure@...ts.grok.org.uk
> Date: Thursday, January 14, 2010, 10:49 PM
> I just wrote a small analysis of the
> SSH scans against our honeypots and one
> thing that intrigued me are some of the passwords used in
> the scans.
> 
> You can see the article here:
> http://blog.sucuri.net/2010/01/honeypot-analysis-looking-at-ssh-scans.html
> 
> But what I am intrigued about are these passwords (bottom
> of the
> article). Some are very complex
> and unique enough that I would guess they are used as
> backdoors or
> common access across
> somewhere... Anyone have ideas or know where they are
> used?
> 
> # USER, PASS
> 5 software, cvsroot
> 5 soft123, sourceforge
> 5 rosymdelfin, conautoveracruz
> 1 root, tiganilaflorinteleorman
> 1 belltrix, spaf@...ene59p9e9rewr*katr
> 1 tiganilaflorinteleorman, root
> 1 morrigan, siamouziesw7unla70lafrl3t0l3frle4lu
> 1 sadmin, &thecentercannothold&
> 1 saddleman357, safe
> 1 sachin, f9uthlavIaPhlawroEXi
> 1 admin, b#5rum$ph!r!Keyufawre?a3r6
> 1 miquelfi, B|*Nsq|TO$~b
> 1 root, an0th3rd@y
> 1 admin, 63375312012a
> 1 root, zEfrephaq5qAnedufrethekuW
> 1 root, z1x2c3v4b5n6
> 1 root, xsw21qaz
> 1 root, wiu2ludrlamoatiuTriu
> 1 root, teiubescdartunumaiubestiasacahaidesaterminam
> 1 root, siamouziesw7UNla70lafrl3t0l3frlE4lU
> 1 root, rough46road15
> 1 root, fiatmx1q2w3e
> 1 root, empire12
> 1 root, efKO1$4?
> 1 root, eempire99
> 1 root, d3lt4f0rc3
> 1 root, celes3cat
> 1 root, bleCroujouwLUswOEdrlAfo6w
> 1 root, bUspamaxegEGuyU52PEt6estU
> 1 root, an0th3rd@y
> 1 root, admin321321
> 1 root, admin1
> 1 root, admin
> 1 root, abcd1234
> 1 root, a1s2d3f4g5h6
> 1 root, WrIaRoeThIespOeh3AwriufLetiu7Tlu11u
> 1 root, QT3CUCCj
> 1 root, Pr99*35a!ra-EwruvU3E@...Uk
> 1 root, N6a4t4u8OEwiaW8i7HLaqLaki
> 1 root, Liteon81
> 1 root, B_$Aj3y3#UCraveVE5e23er@P4
> 1 root, BP5FbGRr
> 1 root, 63375312012a
> 1 root, 1z2x3c4v5b6n
> 1 root, 1qaz2wsx
> 1 root, 1q2w3e4r5t6y
> 1 root, 1q2w3e4r5t
> 1 root, 1q2w3e4r
> 1 root, 1a2s3d4f5g6hy
> 1 root, +#SGU9&rbf-#
> 1 root, !@...^&*(
> 1 root, !@#$%
> 1 root, !@#$
> 1 root, !@#
> 1 root, +#sgu9&rbf-#
> 1 root, )(*&^%$#@!
> 1 root, &thecentercannothold&
> 1 root, %5%7%4%5%1%4%8%7
> 1 news, $changeme$
> 1 $ passwd
> 1 root, !@...^&*()
> 1 q16060502141279, q16060502141279
> 1 pr99*35a!ra-ewruvu3e@...uk, admin
> 1 n6a4t4u8oewiaw8i7hlaqlaki, root
> 1 admin, miemleh9esplawriuthiewias
> 1 admin, J34a47nu
> 1 zefrephaq5qanedufrethekuw, sadmin
> 1 zander, zechsmerquise88
> 1 root, zaxscd13524
> 1 zander, zechsmerquise88
> 1 yxwvutseqponmlkjihgfedcba, root
> 1 yuneneli, z11060510412854
> 1 yourdotw, ip46262
> 1 xgridagent, xgridcontroller
> 1 xj050i7bfa, root
> 1 wriaroethiespoeh3awriufletiu7tlu11u, kjetter
> 1 root, wolfiz0r@
> 1 admin, wolfiz0r@
> 1 root, wiu2ludrlamoatiutriu
> 1 ups650cl, lbjlive
> 1 root, unlocker
> 1 u33977059, ubuntu
> 1 u231006, u33977059
> 1 u208417, u231006
> 1 u207114, u208417
> 1 tyson, u207114
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


      

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ