[nsp-sec] Strange usernames in SSH scan ?

Russell Fulton r.fulton at auckland.ac.nz
Wed Sep 21 15:57:38 EDT 2011 

Hi

Belated followup -- I needed to check how much I could share

I am a member of the Dragon Research Group - volunteer spin off from Team Cymru.   Our pods (sensors) have been collecting credentials used by SSH brute force attacks for over a year now so I did a search on the IP in the original.  You think the usernames are screwy well the passwords we have logged are even better!  The script running the attack is clearly having problems reading its data files.  Most of the passwords are order of 20-30 characters long and comprise real usercode/password pairs (often several) in a single 'password'.  And as others have noticed the wacky usernames are almost certainly passwords.

Those of you who attended FIRST this year may have seen (or got) a DRG tee shirt with a password/usercode tag cloud -- this data came from the same dataset.

This particular IP first showed up on the 15th in our logs and has hit several of our pods.

Russell

from out logs…

time stamp             source IP        username                                            password					

 2011-09-17 14:35:56 | 60.191.41.97 | @n!md at mP#$@&#3141$&#@!#mTadm!n$@                     | root SDDF##21496%2 root
 2011-09-17 14:35:59 | 60.191.41.97 | HOla%201%2B2%3D3%20Espa%00a%20%00                    | root gbl123!@# root nairamcool.000.002
 2011-09-17 14:36:01 | 60.191.41.97 | root                                                 | soxy1 root 1227Dolores root 12qwaszx root qkm@!(%.)=*^&fhE root
 2011-09-17 14:36:03 | 60.191.41.97 | woodfish                                             | root #alpha/123/omega# root c0bra222 root
 2011-09-17 14:36:05 | 60.191.41.97 | ortega.123#TradeLinuxKi!l|iN6#Th3Ph03$%nix at NdR3b!irD | root
 2011-09-17 14:36:07 | 60.191.41.97 | Kr3at0r at I5Th3B3st0F!#$$#!                            | root a1u21r18o215 at byd0s root
 2011-09-17 14:36:10 | 60.191.41.97 | o!^CUZ at G0t_A_5m0k3                                   | root 5t0gtwqs root polq.323 root 6^H5t0gtwqs root
 2011-09-17 14:36:12 | 60.191.41.97 | soxy123                                              | root ~!@~!@~!@~!@~!@ root *BTWpwn? root santorini2006 root
 2011-09-17 14:36:14 | 60.191.41.97 | MK23nCds                                             | root 17IHiT18IHiT root #,^QB/naU2fkN'1qN-HM root !msoft1956



On 20/09/2011, at 5:45 AM, Kurt Jaeger wrote:

> ----------- nsp-security Confidential --------
> 
> Hi!
> 
> Recently, we found strange usernames in SSH scans.
> 
> sshd[23410]: Invalid user @n!md at mP#$@&#3141$&#@!#mTadm!n$@ from 60.191.41.97
> sshd[23420]: Invalid user HOla%201%2B2%3D3%20Espa%00a%20%00 from 60.191.41.97
> 
> Is there a reason for those usernames (syslog exploits ?) ?
> 
> -- 
> MfG/Best regards, Kurt Jaeger                                   9 years to go !
> Dr.-Ing. Nepustil & Co. GmbH  fon +49 7123 93006-0  pi at nepustil.net  
> Rathausstr. 3                 fax +49 7123 93006-99
> 72658 Bempflingen             mob +49 171 3101372
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list