Month: November 2008

Compromised Passwords

Avi Alkalay 14 Comments

Hacker emblemI love to see crackers attacking my computers. I even wrote a Linux Magazine article about a successful invasion (portuguese).

Since recently, I leave a virtual machine with an easy password ready to be attacked, just to see these crackers’ leftovers, their rootkits and what they’ll do once they brake into my system.

Guess what. Once inside, they use my system to attack more or to create DDoS-capable networks ready to put some website down. They are not looking for my files, nor my other passwords. They are actually looking for my compute power and want to preserve their anonymity through the use of my Internet address. Pretty useless lifestyle.

Those crackers will rarely explore some Apache or Samba vulnerability to get inside. Few of them have brains for this difficult task. They manage to get inside a system simply because some user password is very simple. They use port scanners to find your SSH TCP port open and then try thousands of combinations of user+password until they login. Once inside, they install this same scanning tools and user+password databases to attack other computers on the Internet.

I started to collect this user+password databases in an alphabetically sorted file and realease it here so people may check if some password they are choosing is well known by crackers or not.

The compromised passwords file has currently 142002 different combinations of user+password that you should not use, and can be downloaded here.

Some classical combinations you’ll find in the file are:

root changeme
root default
root l1nuxb0x
root passw0rd
root password
oracle oracle123
sapdb sapdb

Remember, you will greatelly avoid having your Linux/Unix/BSD/Mac computer being attacked simply following this rules:

  1. Disable SSH “root” login having the following in your /etc/ssh/sshd_config file: 
    PermitRootLogin no
  2. Don’t use a user+password combination that can be found in the file I linked above. Use passwords that are difficult to guess.
  3. Change your SSH daemon listening port to something different than the default 22 in /etc/ssh/sshd_config. This is a bit inconvenient — but very effective — because you’ll have to remember to provide the non-standard port everytime you want to access your system.

Pretty obvious, but I keep finding Internt-connected systems with very weak and well known passwords.