0x0Lab Blog Just another damn blog

22Dec/10Off

SSH honeypot

I've been running an SSH honeypot for around a month now.
So let's have a look at the stats.
So far I've collected 17 rootkits/ircbot/logcleaners.
The top 20 passwords/usernames the SSH scanners will try are:

Passwords Usernames
Count password
1963 123456
978 password
738 1234
619 test
539 a
468 test123
426 passwd
361 admin
323 qwerty
312 root
285 123
258 12345
240 abc123
200 tester
200 passwd123
193 admin123
174 1q2w3e
148 abcd1234
147 1
147 user
Count username
15385 root
871 test
757 admin
620 a
589 guest
398 oracle
353 user
352 tester
281 testing
256 nagios
241 mysql
224 student
219 apache
215 info
202 postgres
192 ftp
187 temp
178 toor
177 webmaster
168 postfix

Unfortunately I haven't had enough time to analyze the rootkits/ircbots downloaded to the box, but feel free to do so. The files can be downloaded here (password: honeypot).

Below you can see a few videos of the "hackers" in action:























Posted by cirrus

Filed under: Security Comments Off