As you may have noticed by some of my recent diaries, I have spent a bit more time on ssh and telnet credentials. These credentials are collected by Cowrie, the amazing full features SSH and Telnet honeypot maintained by Michel Oosterhof. Cowrie is installed as a component if you install our DShield honeypot.

One very simple way to find "interesting" things is to look at what is new. To allow you to explore yourself, I added an "SSH/Telnet Username Summary". The report lists all usernames we observed in the last 30 days, and if we saw them at least five times. These numbers may, of course, change. There is also a simple JSON formatted report you may download to play with: https://isc.sans.edu/sshallusernames.json

So let's take a quick look at "what's new":

• ysoperator: Looks familiar, but can't remember where I saw it. Google is of little help here.
• uery: Maybe a typo, and should be "query"?
• tamatiek: Appears to be a Japanese name?
• shughes: I guess this is for "S Hughes". Many systems use the first initial and last name as username. There are a few more like that that I will skip here
• dbmasteruser: Something a bit more interesting. Likely supposed to refer to a database administrator account.

And there is one I think was funny: /usr/share/wordlists/logins.txt . Yes, the filename and path. I suspect the user didn't know yet how to run the brute force script and passed the filename instead of the username. There are a few I consider typos: "atascientist" (I suspect "datascientist"), "ackupadmin" (backupadmin?). Could also be a tool that swallows the first letter of the username if the username is not provided correctly.

I am working on a similar list of passwords. But there are a lot more different passwords than usernames making that a bit more challenging. Let me know if there are any additional details I should add.

Lesson: Attackers make mistakes too, and there are no real "safe" usernames. 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|