The password combination root/123456 is bad, but how bad?

Hello folks.

My dear friend Leon tweeted that it took few minutes for his kippo install to get it's first catch.

I knew that if you go online with SSH password 123456 you will eventually get hacked but i was curious about how soon would that be.

So i ran a little experiment for the sole purpose of documenting that, and i repeated it on 6 fresh VPS installs in 6 different areas.
Without further ado here are the results:

#1 (198.199.122.128)
New York 1
Started: Wed Mar 5 11:56:05
Owned in: 38 hours
2014-03-07 02:11:12-0500 [SSHService ssh-userauth on HoneyPotTransport,1935,61.174.51.199] login attempt [root/123456] succeeded

#2 (37.139.4.112)
Amsterdam 1
Started: Fri Mar 7 07:51:47
Owned in: 11 hours
2014-03-07 18:43:07-0500 [SSHService ssh-userauth on HoneyPotTransport,8,61.174.51.222] login attempt [root/123456] succeeded

#3 (107.170.239.236)
San Francisco 1
Started: Fri Mar 7 22:39:59
Owned in: 26 hours
2014-03-09 8:41:19-0500 [SSHService ssh-userauth on HoneyPotTransport,41,222.186.34.199] login attempt [root/123456] succeeded

#4 (188.226.158.32)
Amsterdam 2
Started: Sun Mar 9 09:20:05
Owned in: 25 hours
2014-03-10 12:09:29-0500 [SSHService ssh-userauth on HoneyPotTransport,32,116.10.191.184] login attempt [root/123456] succeeded

#5 (107.170.53.153)
New York 2
Started: Thu Mar 13 03:45:23
Owned in: 16 hours
2014-03-13 19:37:12-0500 [SSHService ssh-userauth on HoneyPotTransport,35,119.61.7.25] login attempt [root/123456] succeeded

#6 (128.199.208.30)
Singapore 1
Started: Fri Mar 14 14:00:32
Owned in: 2 hours 47 minutes
2014-03-14 16:47:21-0400 [SSHService ssh-userauth on HoneyPotTransport,0,116.10.191.186] login attempt [root/123456] succeeded

Being only a small sample it's not safe to jump into conclusions on which place is a more safe to operate online or which place will supply your honeypot with more juicy data.
But it's safe to say that if you run your SSH facing the internet and the password is 123456 it will eventually be owned.

And i am attaching some logs and network capture files (I apologize for forgetting to collect them every time)

(Note i updated some timestamps to make the timezones the same)


If you have similar data please post them as well.
honeydata-mar-16.zip

Views: 660

Comment

You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Latest Activity

Anton Vyacheslav is now a member of Dissecting The Hack
Dec 9, 2018
bernardorichard updated their profile
Nov 28, 2018
Sam Mccalla is now a member of Dissecting The Hack
Nov 19, 2018
bernardorichard is now a member of Dissecting The Hack
Oct 24, 2018

© 2019   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service