Announcement

Collapse
No announcement yet.

Latest ATT honeypot data reveals the top password as:

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Latest ATT honeypot data reveals the top password as:

    password
    which replaced the previous top password: 123456

    The other top passwords are:
    Click image for larger version

Name:	top_passwords.png
Views:	1
Size:	277.0 KB
ID:	648106
    What does having a firewall or running an AV product mean if it is all thrown out the window with such weak passwords?

    Opps! I forgot the link to the video, which has other interesting information, like password complexity, and the latest info about cutwail, the major source of malware.
    Attached Files
    Last edited by GreyGeek; Feb 22, 2014, 10:16 AM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Damn, better change all my PWs

    I know so many people who use the same password for everything. looking through the logs on my server was a real eye opener:

    Code:
    admin@samhobbs /var/log $ cat auth.log.1 | grep sshd > ssh_logins.txt
    ssh_logins.txt

    !!

    I should probably use fail2ban to save resources, but I find it interesting and I only use publickey authentication.
    samhobbs.co.uk

    Comment


      #3
      Wow! For nearly a week someone in Russia, from a single IP address, was pounding on your server every few seconds! And, on the last couple days to be joined by another person from a single IP address in China. More than likely it was government agents in those countries.
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        That's not uncommon, either!

        Seriously though, if you were going to write a script to try to guess SSH logins, wouldn't you try a few and if they all gave you "Permission Denied: Publickey" responses just move on? I know you only get that response if you try to log on as a valid user, but still... It must cost money to beat your fists bloody on the gates. My hypothetical script would give up sooner.
        samhobbs.co.uk

        Comment


          #5
          The thing is, that's not even the whole log! Pretty sure the log file was rotated during the attack, I'll check later.
          samhobbs.co.uk

          Comment


            #6
            Originally posted by Teunis
            ...About that top password in the ATT honey pot, what's the attraction of 14060?

            14,060 is the number of users with the password "password".

            I agree with Teunis, the attack seemed to be based on a list of users and passwords, tried one after another, hence the reason why those two attackers spent 5 days attacking. 30 per minute, 1,800 per hour, 43,200 per day, over 200,000 for the 5 day period. 200K is about the lot size stolen passwords are sold in.
            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
            – John F. Kennedy, February 26, 1962.

            Comment


              #7
              Code:
              admin@samhobbs /var/log $ zcat auth.log.4.gz | grep sshd >> ~/ssh_logins_new.txt
              admin@samhobbs /var/log $ zcat auth.log.3.gz | grep sshd >> ~/ssh_logins_new.txt
              admin@samhobbs /var/log $ zcat auth.log.2.gz | grep sshd >> ~/ssh_logins_new.txt
              admin@samhobbs /var/log $ cat auth.log.1 | grep sshd >> ~/ssh_logins_new.txt
              admin@samhobbs /var/log $ cat auth.log | grep sshd >> ~/ssh_logins_new.txt
              Some more info (older), in case you're interested:

              Code:
              feathers-mcgraw@Hobbs-T440s:~$ truncate -s 999KB ssh_logins_new.txt
              ^ a neat little trick I just learned, the forum has a 1000KB filesize limit for text files

              Feathers
              Attached Files
              samhobbs.co.uk

              Comment


                #8
                Reminds me of Spaceballs! Remember the Air Dome password which coincidentally was President Skroob's password on his luggage!?


                http://www.youtube.com/watch?v=WzEz-SHJbB0

                Comment


                  #9
                  That's the first time I've seen that, made me LOL!
                  samhobbs.co.uk

                  Comment


                    #10
                    Oh, you have to watch the whole thing! Classic in my opinion!


                    Comment


                      #11
                      Originally posted by Feathers McGraw View Post
                      Code:
                      admin@samhobbs /var/log $ zcat auth.log.4.gz | grep sshd >> ~/ssh_logins_new.txt
                      admin@samhobbs /var/log $ zcat auth.log.3.gz | grep sshd >> ~/ssh_logins_new.txt
                      admin@samhobbs /var/log $ zcat auth.log.2.gz | grep sshd >> ~/ssh_logins_new.txt
                      admin@samhobbs /var/log $ cat auth.log.1 | grep sshd >> ~/ssh_logins_new.txt
                      admin@samhobbs /var/log $ cat auth.log | grep sshd >> ~/ssh_logins_new.txt
                      Some more info (older), in case you're interested:

                      Code:
                      feathers-mcgraw@Hobbs-T440s:~$ truncate -s 999KB ssh_logins_new.txt
                      ^ a neat little trick I just learned, the forum has a 1000KB filesize limit for text files

                      Feathers
                      Thanks for the info about the text file size limit!

                      I noticed a pattern in the text file:
                      Code:
                      Feb  4 14:01:20 samhobbs sshd[25192]: input_userauth_request: invalid user billy [preauth]
                      Feb  4 14:01:21 samhobbs sshd[25192]: Received disconnect from 213.80.171.86: 11: Bye Bye [preauth]
                      Feb  4 14:05:30 samhobbs sshd[25207]: Received disconnect from 213.80.171.86: 11: Bye Bye [preauth]
                      Feb  4 14:09:35 samhobbs sshd[25218]: Received disconnect from 213.80.171.86: 11: Bye Bye [preauth]
                      Feb  4 14:13:43 samhobbs sshd[25238]: Invalid user bind from 213.80.171.86
                      Feb  4 14:13:43 samhobbs sshd[25238]: input_userauth_request: invalid user bind [preauth]
                      Feb  4 14:13:43 samhobbs sshd[25238]: Received disconnect from 213.80.171.86: 11: Bye Bye [preauth]
                      Feb  4 14:17:51 samhobbs sshd[25249]: Invalid user bird from 213.80.171.86
                      Notice that if the name wasn't in your list of users the connection was marked invalid. Some connections are sequential "Received disconnect from ...". Did they hit upon a valid name but failed to use a valid password?
                      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                      – John F. Kennedy, February 26, 1962.

                      Comment


                        #12
                        My server accepts publickey only for all users, so even if they guessed the right name they would be disconnected. Some of the disconnects are grouped together in a block in the logs, they're not always in a "connect, disconnect, connect, disconnect" order. The "admin" username login attempt would be interesting but it's too far back in the logs and has been discarded, I suspect they got a "Permission denied: publickey" response and moved on.

                        Feathers
                        samhobbs.co.uk

                        Comment


                          #13
                          Interesting thread!

                          At the college we have to change our passwords every six months or so, and there are those who say that such a policy makes little or no difference, don't know, it has to be done so I do it.

                          I really DID try to come with really oddball number/letter combos etc. but after a while the MS system.......said that the passwords were no good! :0

                          I got really irritated, because I've fiddled with passwords and the theory of them for quite a while. Annnnn, I do gotta say that there is a theory that what happened next is a good method.

                          Here is one talking head that says use "words" and also there is discussion of alternate strategies, from 2011 but probably still of some use.

                          http://readwrite.com/2011/01/21/why-...owQoCgIekQtkl2

                          Here is a talking head that says use numbers.....or a really loooonnnggg word! lol

                          http://netsecurity.about.com/od/news.../realwords.htm

                          As a joke after about, don't remember, ten attempts...........I typed in the name of an enzyme and the number 01, usch as Amylase01.

                          And microsludge declared that on a scale of one to ten that the password was a fifty! .........there were trumpets blaring, the windblows flag was flying across the page.

                          Since then I just pick a random street name and put 01 on it.

                          and since this is an academic setting...........hhhhaaarrruuumph....academics do it right! I will just follow my muse!

                          woodMr.Mxyzptlksmoke

                          Comment


                            #14
                            I've often wondered about the differences in passwords -- all lower case, mixed case, lower case and numerics, mix case and numerics, all the previous and with special characters, just special characters, etc....

                            The thing is, they are all coming from a pool of 256 bytes. The alpha numerics between 0 and 127, and the higher set from 128 to 256. Does it really matter which combination of ANY of those characters (0-256) are used? In my mind, only one thing makes any difference -- length of the password. Some apps and sites limit the length of the password, or truncate it to some fixed upper number, so even the length of the password is defeated.

                            My passwords are phrases of three or four words, sometimes with numbers or punctuation, averaging 16 characters. Always longer, but easy to remember. I read that even 4096 bit RSA keys have been cracked using a "side channel attack". Besides the acoustic attack on the 4096 bit key, the 1024 bit RSA key was cracked in 2010. My PGP keys are either 2048 or 4096.

                            However, considering the resources behind the NSA, including $80M targeted to build a quantum computer that could crack most if not all key, one wonders if they have that already.

                            Google has purchased a D-Wave Systems quantum computer, so I am not sure why NSA is trying to build one, and suspect that their announcement is merely a smoke screen.
                            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                            – John F. Kennedy, February 26, 1962.

                            Comment


                              #15
                              How Big is Your Haystack?
                              ... and how well hidden is YOUR needle?
                              Windows no longer obstructs my view.
                              Using Kubuntu Linux since March 23, 2007.
                              "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                              Comment

                              Working...
                              X