[nsp-sec] Strange usernames in SSH scan ?
Rodolfo Baader
rbaader at arcert.gov.ar
Tue Sep 20 11:01:36 EDT 2011
Hi ...
the string "HOla%201%2B2%3D3%20Espa%00a%20%00"
decodes to "Hola 1+2=3 España ñ"
But as Jose Nazario has already told, someone (the attacker) has confused the
password file and the username file when launch the SSH scanning attack.
Take a look at: http://www.abraxas.org/rootpasswords
and you will find the password (usernames in this case)
"HOla%201%2B2%3D3%20Espa%00a%20%00"
and "@n!md at mP#$@$&#@!#mTadm!n$@" that is very similar to
"@n!md at mP#$@౅$&#@!#mTadm!n$@"
Hope this help.
Regards,
R.
El 20/09/11 08:24, Carles Fragoso escribió:
> ----------- nsp-security Confidential --------
>
> BTW, after Hola123 you can see Espaa which probably means "España" (Spain).
>
> -- Carlos
>
> On Sep 19, 2011, at 8:10 PM, Smith, Donald wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> If you google for the 2nd username it was reported by others one of those had Hola123 which I think is what that username is "sort of" supposed to be.
>>
>>
>>
>> Ignorance is Bliss. "Bliss (Basic Language for Implementation of System Software) was a
>> systems programming language originally for the PDP-10 and DECsystem-20 written at CMU." Kevin Oberman RTD
>> Donald.Smith at CenturyLink.com
>>
>>
>>> -----Original Message-----
>>> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>>> bounces at puck.nether.net] On Behalf Of Jose Nazario
>>> Sent: Monday, September 19, 2011 11:58 AM
>>> To: Kurt Jaeger
>>> Cc: nsp-security at puck.nether.net
>>> Subject: Re: [nsp-sec] Strange usernames in SSH scan ?
>>>
>>> ----------- nsp-security Confidential --------
>>>
>>> someone confuse their password file and username file?
>>>
>>> On Mon, 19 Sep 2011, Kurt Jaeger wrote:
>>>
>>>> ----------- nsp-security Confidential --------
>>>>
>>>> Hi!
>>>>
>>>> Recently, we found strange usernames in SSH scans.
>>>>
>>>> sshd[23410]: Invalid user @n!md at mP#$@౅$&#@!#mTadm!n$@ from
>>> 60.191.41.97
>>>> sshd[23420]: Invalid user HOla%201%2B2%3D3%20Espa%00a%20%00 from
>>> 60.191.41.97
>>>>
>>>> Is there a reason for those usernames (syslog exploits ?) ?
>>>>
>>>>
>>>
>>> --
>>> -------------------------------------------------------------
>>> jose nazario, ph.d. <jose at arbor.net>
>>> manager of security research arbor networks
>>> v: (734) 821 1427 http://asert.arbor.net/
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
>>> security
>>> community. Confidentiality is essential for effective Internet security
>>> counter-measures.
>>> _______________________________________________
>>
>> This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
>> prohibited and may be unlawful. If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list