Last Updated: 2023-10-15 20:12:13 UTC
by Guy Bruneau (Version: 1)
While reviewing my DShield honeypot logs, I noticed for the first time something strange in my list of Top Username & Password where several domain name were use as password. Initially, I was under the impression this might be a parsing error by Logstash and decided to review the raw logs to make sure it was parsed correctly to confirm data integrity. Since username and passwords isn't something submitted to DShield, I reviewed my own raw logs to confirm the data was accurate and reviewed the capture rate of username/password combination for the past few weeks:
2023-10-15T00:06:32.836953Z [HoneyPotSSHTransport,491,22.214.171.124] login return, expect: [b'root'/b'123@.com']
2023-10-15T00:11:39.103160Z [HoneyPotSSHTransport,594,126.96.36.199] login return, expect: [b'root'/b'123@.com']
2023-10-15T00:13:08.464557Z [HoneyPotSSHTransport,664,188.8.131.52] login return, expect: [b'root'/b'123@.com']
The logs also showed that only two usernames were used for this activity: root & admin.
I tried resolving some of the domain, some resolve and some don't. Here are a few examples of domain name (password) that resolve:
- cxthhhhh.com → Addresses: 2606:4700:3033::ac43:9280, 2606:4700:3031::6815:2f65, 184.108.40.206, 220.127.116.11
- minijer.com → Address: 18.104.22.168
- 123456.com → Addresses: 22.214.171.124, 126.96.36.199
Top 10 IPs Indicator
Have you seen similar activity in your logs? Let us know via our contact page.