Harvested SSH bots passwords

Introduction

If you have an SSH server running on the public interface, you probably know that there are failed login attempts happening all the time. There are bots scanning whole internet subnets looking for an open TCP port 22 and trying all sorts of popular logins and weak passwords. I wanted to know what passwords and logins are they actually using. There is no problem with logins – audit.log should show them. It’s a different story with passwords. They are not logged even if you configure maxium possible debugging level in OpenSSH server. There is a good reason for doing so – it might violate privacy and pose a security threat.

How did I do that?

The cleanest way to do this is to modify OpenSSH source code. I used OpenSSH 6.4p1 version.

You only need to insert one line using logit function in auth-passwd.c file:

[root@krupa src]# diff -r openssh-6.4p1 openssh-6.4p1_mod
diff -r openssh-6.4p1/auth-passwd.c openssh-6.4p1_mod/auth-passwd.c
82a83
> logit("Password, username is: %s-----%s",authctxt->user,password);

 

/*
 * Tries to authenticate the user using password. Returns true if
 * authentication succeeds.
 */
int
auth_password(Authctxt *authctxt, const char *password)
{
 logit("Password, username is: %s-----%s",authctxt->user,password);
 struct passwd * pw = authctxt->pw;
 int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 static int expire_checked = 0;
#endif
#ifndef HAVE_CYGWIN
 if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
 ok = 0;
#endif
 if (*password == '\0' && options.permit_empty_passwd == 0)
 return 0;
#ifdef KRB5
 if (options.kerberos_authentication == 1) {
 int ret = auth_krb5_password(authctxt, password);
 if (ret == 1 || ret == 0)
 return ret && ok;
 /* Fall back to ordinary passwd authentication. */
 }
#endif
#ifdef HAVE_CYGWIN
 {
 HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
 return 0;
 cygwin_set_impersonation_token(hToken);
 return ok;
 }
#endif
#ifdef USE_PAM
 if (options.use_pam)
 return (sshpam_auth_passwd(authctxt, password) && ok);
#endif
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 if (!expire_checked) {
 expire_checked = 1;
 if (auth_shadow_pwexpired(authctxt))
 authctxt->force_pwchange = 1;
 }
#endif
 result = sys_auth_passwd(authctxt, password);
 if (authctxt->force_pwchange)
 disable_forwarding();
 return (result && ok);
}

The results

Over the course of approximately 10 months I was able to gather 1315543 attempts which is about 3 per minute!
There were only 172304 unique combinations.

Top 100 login+password combinations

count login password
 5493 root admin
 2883 root 123456
 2505 root password
 2439 root root
 2423 root root123
 2376 root \001
 2336 root 1234
 2330 root 1qaz2wsx
 2274 root redhat
 2252 root passw0rd
 2217 root 12345678
 2178 root 123123
 2177 root admin123
 2130 root 1q2w3e4r
 2113 root P@ssw0rd
 2097 root qwe123
 2086 root 12345
 1995 root abc123
 1985 root 1234567890
 1958 root 123
 1925 root 1q2w3e
 1877 root 123456789
 1834 root root@123
 1815 root 111111
 1794 root Passw0rd
 1751 root toor
 1748 root 123qwe!@#
 1745 root qweasd
 1743 root 2wsx3edc
 1731 root root1234
 1720 root rootroot
 1711 root master
 1710 root rootme
 1709 root zaq12wsx
 1696 root 123qwe
 1694 root 142536
 1693 root 112233
 1687 root abcd1234
 1660 root 123.com
 1657 root manager
 1656 root 654321
 1641 root data
 1636 root 123abc
 1633 root cisco
 1629 root welcome
 1622 root q1w2e3r4t5
 1612 root 123qweasd
 1601 root qazxsw
 1600 root q1w2e3r4
 1598 root test
 1562 root 1234567
 1560 root 1qaz@WSX
 1557 root qwer1234
 1554 root test123
 1552 root 1q2w3e4r5t
 1539 root oracle
 1539 root 1qazxsw2
 1526 root admin@123
 1505 root qwerty
 1502 root 8812345
 1501 root letmein
 1474 root master123
 1471 root 225588
 1454 root administrator
 1453 root temporal
 1450 root 666666
 1448 root p@ssw0rd
 1447 root 123qwe123
 1441 root 123!@#
 1441 root 11111111
 1426 root 123465
 1424 root changeme
 1422 root 123321
 1418 root r00t
 1411 root 123.321
 1404 root qazwsx
 1404 root monitor
 1392 root default
 1387 root firewall
 1373 root 888888
 1372 root huawei
 1364 root samsung
 1360 root pass123
 1357 root qwe123!@#
 1356 root asdf
 1355 root !QAZ2wsx
 1355 root power
 1355 root 1212
 1354 root pass
 1352 root P@$$w0rd
 1347 root password1
 1345 root Password
 1343 root 65432!
 1341 root P@ssword
 1341 root 88888888
 1340 root Admin@123
 1328 root a123456
 1321 root system
 1313 root Abc123
 1311 root 789789

Top 100 users

count user
1106979 root
 94632 admin
 3140 test
 2917 oracle
 2063 postgres
 2029 nagios
 1793 krupa
 1785 pw
 1685 bin
 1642 user
 1539 guest
 1527 ftpuser
 1296 mysql
 1024 testuser
 950 info
 927 ftp
 820 backup
 815 support
 774 webmaster
 705 git
 605 teamspeak
 560 web
 555 usuario
 548 www
 511 tomcat
 509 postmaster
 502 suporte
 461 teste
 423 deploy
 400 www-data
 380 zabbix
 356 webadmin
 353 ubuntu
 348 test2
 331 svn
 331 alex
 316 apache
 309 test1
 304 ftptest
 291 student
 289 minecraft
 275 ts
 274 jboss
 245 jenkins
 242 master
 228 redmine
 218 test3
 217 ts3
 216 cyrus
 213 jira
 205 testftp
 205 cacti
 203 teamspeak3
 201 nobody
 199 user1
 188 hadoop
 181 webuser
 175 news
 174 adm
 170 a
 168 sales
 162 db2inst1
 159 prueba
 159 john
 157 testing
 156 office
 156 mythtv
 150 temp
 148 demo
 145 weblogic
 141 tom
 141 david
 139 cron
 138 tester
 137 mail
 132 vyatta
 131 postfix
 129 gitosis
 124 service
 121 bash
 118 server
 115 michael
 114 gitolite
 113 linux
 113 daemon
 113 ben
 110 ivan
 109 operator
 108 public
 108 mike
 108 jack
 106 http
 105 upload
 105 rsync
 105 daniel
 105 anna
 104 informix
 104 ghost
 102 pi
 102 deployer

There are quite a lot of attempts using my domain name which means those bots have some adaptation abilities.

 

Top 100 passwords

count password
 9747 123456
 6759 admin
 5863 password
 4362 1234
 3826 12345
 3530 123
 3490 root
 3475 1qaz2wsx
 3414 test
 3339 123123
 3259 abc123
 3258 root123
 3121 12345678
 3085 qwe123
 3073 admin123
 3069 passw0rd
 3053 P@ssw0rd
 3037 redhat
 3007 1q2w3e4r
 2745 1234567890
 2617 test123
 2610 Passw0rd
 2609 111111
 2604 zaq12wsx
 2587 123qwe
 2580 root@123
 2520 qweasd
 2494 112233
 2484 oracle
 2464 2wsx3edc
 2428 master
 2424 142536
 2422 toor
 2420 123qwe!@#
 2410 rootme
 2376 123456789
 2376 \001
 2366 data
 2338 manager
 2332 qwerty
 2323 root1234
 2316 welcome
 2293 rootroot
 2288 cisco
 2281 qazxsw
 2275 q1w2e3r4t5
 2258 123.com
 2216 1q2w3e
 2216 123abc
 2195 123qweasd
 2163 abcd1234
 2152 1234567
 2133 letmein
 2115 8812345
 2103 1qazxsw2
 2089 123!@#
 2085 225588
 2082 123465
 2078 master123
 2073 q1w2e3r4
 2073 admin@123
 2065 qwer1234
 2053 temporal
 2050 123.321
 2044 123qwe123
 2029 1qaz@WSX
 2025 654321
 2008 changeme
 1988 pass
 1979 monitor
 1966 666666
 1934 1212
 1929 1
 1919 firewall
 1887 qwe123!@#
 1874 r00t
 1871 qazwsx
 1869 1q2w3e4r5t
 1851 65432!
 1840 p@ssw0rd
 1834 administrator
 1831 default
 1827 Admin@123
 1825 pass123
 1810 P@$$w0rd
 1803 789789
 1793 Abc123
 1776 123321
 1772 root123!@#
 1765 aa123456
 1765 147147
 1763 11111111
 1754 password1
 1752 q123456
 1723 tang
 1717 admin123#
 1717 888888
 1715 huawei
 1709 system
 1701 adminadmin

 

Conlusion

Is it a problem? It should not be unless you use one of those passwords. It only creates unnecessary noise in the log files.

If you are concerned about someone guessing your password you can change the port SSH listens on, but there are good reasons not to. I would recommend reading that article even though the author goes to the extreme saying it is absolutely a bad idea. Moving SSH port to some unpredictable value will not protect you from targeted attack but will allow you to buy more time to patch your system in case there is 0day attack on the OpenSSH server and the bots will rush to compromise as many systems as possible as fast as possible – they will scan port 22 only to speed up the process.

Leave a Reply

Your email address will not be published. Required fields are marked *