Looking at new usernames collected by our Cowrie honeypots, you will first of all notice a number of HTTP headers. It is very common for attackers to scan for web servers on ports that are covered by our Telnet honeypots. The result is that HTTP request headers end up in our username and password database. 

This morning, I noticed another interestingly looking username: Airtel@123 [1]. We do see it used with "passwords" like root, otx, and itmuser.

A quick Google search confirmed that "Airtel@123" is the password, and the username is likely "admin", which is not even in the list above. There is another odd thing the attacker may have overlooked here: Based on the documentation I could find, "Airtel@123" is not the telnet/ssh password for the Airtell Zerotouch router. Instead, it appears to be the Wifi default password. The login defaults to the less creative "admin"/"admin".

And while we are at it, here are a few more "interesting but useful" usernames and passwords I have seen:

'"username"' - Maybe someone parsing a random password list that was HTML encoded? Or someone trying to XSS our site?

echo 'Connection established' - no, it wasn't. Likely a check to see if the login succeeded.

'"root"' - even double quotes got escaped correctly. I still think this is more bad parsing of a username list, and not an XSS attack.

usernane "$oot" and password "$dmin". Interesting... No idea if that will work, but anybody got any ideas why someone may try this?

For a full list of recent usernames, see https://isc.sans.edu/data/allsshusernames.html. Let me know if you spot anything interesting.

[1] https://isc.sans.edu/ssh_usernames.html?username=QWlydGVsQDEyMw%3D%3D

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|