Top 10 usernames hackers try

The basics: we use usernames to identity a person to a computer system. A password is commonly required in order to ensure that only the proper person is using the username. Hackers know that at least some passwords for most systems are usually weak or easily guessed, and they will often attempt to access computers using password guessing programs. These attacks are often attempted to my systems on the Internet, which are accessible via ssh. Ssh allows for command line access to a remote system over the network, and is a very useful tool to administer systems remotely. Ssh allows an administrator to copy files up to a remote server and down from a remote server too.

Access to ssh is usually authenticated through a username and password, as is the case with most system access. (While authentication based upon a username and password is not great, it is the most scalable option available today.) Ssh, a widely available tool, is recommended for use since it  encrypts traffic, which reduces the ability for hackers to sniff account passwords. (Password sniffing is a problem with http, ftp and telnet communications.)

As ssh has grown in popularity, hackers have needed to devise new methods for breaking into ssh protected systems. One class of ssh hacking tool is SSHater, a tool that will try to guess valid usernames and passwords via ssh. Back to my systems on the Internet. I have configured my ssh server to log all invalid username/password attempts to the audit log, along with the IP address where the attempt originated. Here is a sample from my audit log.

type=USER_LOGIN msg=audit(1291694386.586:32619): user pid=17683 uid=0 auid=4294967295 ses=4294967295 msg=’op=login acct=”root” exe=”/usr/sbin/sshd” hostname=? addr=94.102.1.248 terminal=sshd res=failed’

I have gone through my last year’s worth of audit logs to summarize the most oftenly guessed usernames and sources of hacking attempts.  The most commonly guessed usernames are:  

  1. root
  2. test
  3. oracle
  4. admin
  5. user
  6. postgres
  7. guest
  8. nagios
  9. mysql
  10. tomcat

Runner-ups were; student, cyrus, mythtv, administrator, temp and apache.

And, here are the top IP addresses that have been trying to get in:

  1. 114.141.196.155 (dedserver.net, a dns name with no website!)
  2. 221.143.48.15 (korea)
  3. 61.55.135.182 (china)
  4. 175.125.21.228 (korea)
  5. 94.102.1.248 (turkey)
  6. 121.88.249.143 (korea)
  7. 111.68.108.6 (pakistan)
  8. 173.244.187.10 (ohio, USA)
  9. 118.217.12.34 (korea)
  10. 212.156.122.94 (turkey)
  11. 218.64.215.239 (china)
  12. 91.209.238.2 (mexico?)
  13. 118.219.234.163 (korea)

What can we learn from this? First, notice that the username “root” is one of the most popular usernames guessed. That is because many UNIX systems are configured with a “root” account, and that account usually has full privileges. It is the account a hacker would most like to obtain for a system. To protect against this, make sure that root logins are disabled via the Internet. It is preferable to have a system administrator log in with their own userid, then “su” to a root level account.

Three of the top 10 are accounts (oracle, postgres and mysql) are database accounts. So, if you have these databases and they need to be admininistered from the Internet, be sure that you have secured your database usernames.

Accounts such as admin and guest are typically generic accounts shared by many people. These accounts usually have weak passwords and should be avoided.

In summary, remember to:

  • disable root level logins via ssh.
  • change default passwords for any and all default accounts.
  • review the audit log for login successes from unknown IP addresses.
  • review the audit log for login failures to keep an eye on the latest accounts that are being guessed against your system.
Advertisements

2 thoughts on “Top 10 usernames hackers try

  1. This sounds like fun! Now I’m thinking about putting a dummy log-on form on the bottom of my homepage and seeing what kinds of attempts I get from where.

    Before I re-wrote my spam filter and they stopped being able to post to my comment page (and soon thereafter stopped trying) I was getting lots of visits from Russian, Ukrainian and Chinese IP’s. Chicago seemed to come up a lot too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s