I spent last week doing some research on the recently very active SSH scans and sent out the following e-mail to the incidents mailling list. Just some clarification before the e-mail itself:<\/p>\n\n\n\n
1- My modified version of SSHD is very simple and I won\u2019t plublish a diff. I basically just downloaded the last version from openssh.org and added these two lines on auth-passwd.c (on line 80 of the file \u2014 just after the beginning of the auth_password function):<\/p>\n\n\n\n
if(strlen(password) > 1)) 2- Regarding the location of the scans, they look very I spent last week doing some research on the recently very active SSH scans and sent out the following e-mail to the incidents mailling list. Just some clarification before the e-mail itself: 1- My modified version of SSHD is very simple and I won\u2019t plublish a diff. I basically just downloaded the last version from […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/379"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=379"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/379\/revisions"}],"predecessor-version":[{"id":380,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/379\/revisions\/380"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
error(\u201cuser: %s, pass: %s\u201d, authctxt->user, password);<\/em><\/p>\n\n\n\n
disperse (my boxes are in the US). I got two from Brazil,
one from the UK, one from NL, one from Japan, two from
India(from the same ISP), 2 from the USA and 1 from
Canada\u2026<\/p>\n\n\n\nI set up some honeypots and also made a few\nmodifications to the ssh daemon to print out the\npasswords these scans were trying to use. I noticed a\nreduction in the number of scans, but I still got a\nfew in the last few days.\n\nBasically I noticed 2 different scans.\n\n** Scan 1 - Attempt many passwords against the root\naccount and a lot of attempts against common\/default\naccounts (with the password being the same as the\naccount name). Interesting is that some of the\npasswords for root doesn't look very simple and some\nuse keyboard combinations (probably common too).\nReceived scans of this type from 7 different IPS (same\npasswords, users, etc).\n\n** Scan 2 - Attempt a lot of strange passwords against\nthe root and admin account. Look bellow to see why I\nthink they are strange. Looks like the scanner is\nbroken :)\nReceived scans of this type from 3 different IPS.\n\n*** User, password combinations:\n\n** Scan 1 (user, password combinations):\nuser root, pass: 1qaz2wsx\nuser root, pass: 1q2w3e4r5t6y\nuser root, pass: 1qaz2wsx3edc4rfv\nuser root, pass: qazwsxedcrfv\nuser root, pass: webmaster\nuser root, pass: michael\nuser root, pass: work\nuser root, pass: maggie\nuser root, pass: print\nuser root, pass: 123456\nuser root, pass: root1234\nuser root, pass: 1qaz2wsx3edc\nuser root, pass: qazwsxedc\nuser root, pass: qazwsx\nuser root, pass: internet\nuser root, pass: mobile\nuser root, pass: windows\nuser root, pass: superman\nuser root, pass: 1q2w3e4r\nuser root, pass: network\nuser root, pass: system\nuser root, pass: administrator\nuser root, pass: 123qwe\nuser root, pass: manager\nuser root, pass: redhat\nuser root, pass: fedora\nuser root, pass: okmnji\nuser root, pass: qwerty\nuser root, pass: httpd\nuser root, pass: linux\nuser root, pass: coder\nuser root, pass: www\nuser root, pass: 123123\nuser root, pass: 1234567890\n\nuser james, pass: james\nuser cvs, pass: cvs\nuser tony, pass: tony\nuser bill, pass: bill\nuser print, pass: print\nuser maggie, pass: maggie\nuser info, pass: info\nuser http, pass: http\nuser ftp, pass: ftp\nuser dany, pass: dany\nuser suse, pass: suse\nuser oracle, pass: oracle\nuser tomcat, pass: tomcat\nuser backup, pass: backup\nuser id, pass: id\nuser sgi, pass: sgi\nuser postgres, pass: postgres\nuser flowers, pass: flowers\nuser internet, pass: internet\nuser linux, pass: linux\nuser nokia, pass: nokia\nuser bash, pass: bash\nuser mysql, pass: mysql\nuser webmaster, pass: webmaster\n\n** Scan 2 (user, password combinations):\nThese passwors look very strange... Does anyone\nwill ever use a password of root1234567890? :)\n\nuser root, pass: root12\nuser root, pass: root123\nuser root, pass: root1234\nuser root, pass: root12345\nuser root, pass: root123456\nuser root, pass: root1234567\nuser root, pass: root12345678\nuser root, pass: root123456789\nuser root, pass: root1234567890\n\nuser admin, pass: admin\nuser admin, pass: admin1\nuser admin, pass: admin12\nuser admin, pass: admin123\nuser admin, pass: admin1234\nuser admin, pass: admin12345\nuser admin, pass: admin123456\nuser admin, pass: admin1234567\nuser admin, pass: admin12345678\nuser admin, pass: admin123456789\nuser admin, pass: admin1234567890<\/pre>\n","protected":false},"excerpt":{"rendered":"