Analysis of SSH brute force attacks

I spent last week doing some research on a very active SSH brute force / scan campaign and sent out the following e-mail to the incidents mailling list with more details.

I modified the SSHD daemon process to log every password being used. It was a simple modification and those two lines to auth-passwd.c (on line 80 of the file — just after the beginning of the auth_password function) did the job:

if(strlen(password) > 1))
error(“user: %s, pass: %s”, authctxt->user, password);


In any event, that's the email: Hope it is useful to someone:


I set up some honeypots and also made a few
modifications to the ssh daemon to print out the
passwords these scans were trying to use. I noticed a
reduction in the number of scans, but I still got a
few in the last few days.

Basically I noticed 2 different scans.

** Scan 1 - Attempt many passwords against the root
account and a lot of attempts against common/default
accounts (with the password being the same as the
account name). Interesting is that some of the
passwords for root doesn't look very simple and some
use keyboard combinations (probably common too).
Received scans of this type from 7 different IPS (same
passwords, users, etc).

** Scan 2 - Attempt a lot of strange passwords against
the root and admin account. Look bellow to see why I
think they are strange. Looks like the scanner is
broken :)
Received scans of this type from 3 different IPS.

*** User, password combinations:

** Scan 1 (user, password combinations):
user root, pass: 1qaz2wsx
user root, pass: 1q2w3e4r5t6y
user root, pass: 1qaz2wsx3edc4rfv
user root, pass: qazwsxedcrfv
user root, pass: webmaster
user root, pass: michael
user root, pass: work
user root, pass: maggie
user root, pass: print
user root, pass: 123456
user root, pass: root1234
user root, pass: 1qaz2wsx3edc
user root, pass: qazwsxedc
user root, pass: qazwsx
user root, pass: internet
user root, pass: mobile
user root, pass: windows
user root, pass: superman
user root, pass: 1q2w3e4r
user root, pass: network
user root, pass: system
user root, pass: administrator
user root, pass: 123qwe
user root, pass: manager
user root, pass: redhat
user root, pass: fedora
user root, pass: okmnji
user root, pass: qwerty
user root, pass: httpd
user root, pass: linux
user root, pass: coder
user root, pass: www
user root, pass: 123123
user root, pass: 1234567890

user james, pass: james
user cvs, pass: cvs
user tony, pass: tony
user bill, pass: bill
user print, pass: print
user maggie, pass: maggie
user info, pass: info
user http, pass: http
user ftp, pass: ftp
user dany, pass: dany
user suse, pass: suse
user oracle, pass: oracle
user tomcat, pass: tomcat
user backup, pass: backup
user id, pass: id
user sgi, pass: sgi
user postgres, pass: postgres
user flowers, pass: flowers
user internet, pass: internet
user linux, pass: linux
user nokia, pass: nokia
user bash, pass: bash
user mysql, pass: mysql
user webmaster, pass: webmaster

** Scan 2 (user, password combinations):
These passwors look very strange... Does anyone
will ever use a password of root1234567890? :)

user root, pass: root12
user root, pass: root123
user root, pass: root1234
user root, pass: root12345
user root, pass: root123456
user root, pass: root1234567
user root, pass: root12345678
user root, pass: root123456789
user root, pass: root1234567890

user admin, pass: admin
user admin, pass: admin1
user admin, pass: admin12
user admin, pass: admin123
user admin, pass: admin1234
user admin, pass: admin12345
user admin, pass: admin123456
user admin, pass: admin1234567
user admin, pass: admin12345678
user admin, pass: admin123456789
user admin, pass: admin1234567890




Posted in   ossec   releases     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.