Linux & Open Source

Compromised Passwords

Hacker emblemI love to see crackers attacking my computers. I even wrote a Linux Magazine article about a successful invasion (portuguese).

Since recently, I leave a virtual machine with an easy password ready to be attacked, just to see these crackers’ leftovers, their rootkits and what they’ll do once they brake into my system.

Guess what. Once inside, they use my system to attack more or to create DDoS-capable networks ready to put some website down. They are not looking for my files, nor my other passwords. They are actually looking for my compute power and want to preserve their anonymity through the use of my Internet address. Pretty useless lifestyle.

Those crackers will rarely explore some Apache or Samba vulnerability to get inside. Few of them have brains for this difficult task. They manage to get inside a system simply because some user password is very simple. They use port scanners to find your SSH TCP port open and then try thousands of combinations of user+password until they login. Once inside, they install this same scanning tools and user+password databases to attack other computers on the Internet.

I started to collect this user+password databases in an alphabetically sorted file and realease it here so people may check if some password they are choosing is well known by crackers or not.

The compromised passwords file has currently 142002 different combinations of user+password that you should not use, and can be downloaded here.

Some classical combinations you’ll find in the file are:

root changeme
root default
root l1nuxb0x
root passw0rd
root password
oracle oracle123
sapdb sapdb

Remember, you will greatelly avoid having your Linux/Unix/BSD/Mac computer being attacked simply following this rules:

  1. Disable SSH “root” login having the following in your /etc/ssh/sshd_config file:
    PermitRootLogin no
  2. Don’t use a user+password combination that can be found in the file I linked above. Use passwords that are difficult to guess.
  3. Change your SSH daemon listening port to something different than the default 22 in /etc/ssh/sshd_config. This is a bit inconvenient — but very effective — because you’ll have to remember to provide the non-standard port everytime you want to access your system.

Pretty obvious, but I keep finding Internt-connected systems with very weak and well known passwords.

14 comments to Compromised Passwords

  • Tabgal

    Ufa minhas senhas estão salvas 😛 😛 😛

    Imagino que (a maquina) que tente essas senhas seja um mesmo sistema que foi invadido, é isso mesmo?

    Também seria interessante ver qual o canal de controle usado (irc certo?)

  • Avi

    Tabgal, yes, the cracker used a user+password combination from this file, invaded and then installed the same rootkit with this file to invade other computers.

  • […] Avi Alkalay @ Compromised Passwords […]

  • […] por Avi Alkalay (avibrazilΘgmail·com) – referência […]

  • Nice article. Makes me wanna build my own honeypot. :)

  • é, também estou salvo….
    As pessoas ao menos deviam ter um pouco mais de dissernimento ao escolherem suas senhas né…

    E não sabia que os crakers hoje em dia estão fazendo isso…..

  • Avi

    Marcelo Criscuolo contributed today 456 additional user+password combinations. Already merged in the compromised-passwords.txt file.

  • paul

    thanks for assembling the list. on linux i use denyhosts – this cuts them off after a few tries.
    see http://denyhosts.sourceforge.net/

  • I dont understand how ppl ssh into systems which are connected over internet? I have a wifi modem which when connected to internet gets a public IP and the modem assigns a private ip to my system which means that the modem does acts as a NAT box or does routing. My system is never assigned a public IP in any case? Also my understanding is that the ip which my modem gets is down the heirarchy of multiple level of NATS. How does a cracker can even manage to log into my system considering he knows my root passwd somehow?

  • monsted

    142000 passwords sounds impressive, but you should run a “uniq” on that list to cut out all of the duplicates. “ace ace” is just one of many that repeat.

  • Jani Mikkonen

    Besides the suggestions above, you will cut the bruteforce attacks against your ssh by changing the port ssh listens for incoming connections to something other than port 22.

    Anyway, thanks for the list!

  • Avi

    @monsted, these 142002 are all unique. There is no repeated combination of user and password.

    What you commented as “ace ace” means user “ace” with password “ace”. Each line has the user for the first word and its password for the second word.

  • Hi Avi, Happy New Year!

    The reason I am contacting you is to learn how I can integrate a google map that I
    have created into my wordpress blog.

    I want to create a map for my blog with the same exact functionality as the one in the website below.

    http://earth2tech.com/2008/02/25/earth2tech-maps-101-cleantech-startups/

    Just click on the view larger map hyperlink, this will take you to the map and show
    its configuration and functionality.

    I am a technical coding newbie, so I really appreciate any help you may be able
    to provide.

    Thank you in advance.

    All the best,

    David
    Energybloggers.com

  • eric

    I’am always loose my username and password.