ssh hackers

SSH hacking. Amazed at the amount of ssh hackers. Its common to get people to try to hack you root account. THe internet is an amazing thing allowing us to learn a vast amount of information and content. It also is the biggest distraction ever made with youtube, chat rooms and general blackholes. And the internet allows us to hack the hell out of each other. A internet connected device will constantly get hacked, almost no matter what IP address you have!!

You will constantly see it in the logs. You see ‘Failed password for root from 103.152.242.19 port 40834 ssh2’ entries. This happens on every host. It happens on hosts that have little valuable information. I found this information on a persons cloud host they use to host a personal site. . . nothing worth of value at ALL, yet it gets hacked all the time.

What else?
The hackers use other names that are common in software found on systems, like admin, test, and other common names. And they do this
24 hours a day, every day of the week, never ending. You can block them with ip address blocking, IP geo blocking, or simply don’t let anyone connect except valid users.
How? You can only allow certain IP addresses to connect to your host. Only allow the vendor or your own IP into the server. A great method.
How else? You can limit when people connect and WHO can connect, as well.
Do prevent anyone on the internet to connect, you can limit the time that connections are allowed. This is similiar to a ‘time lock’ on a bank safe.
A time lock prevents anyone from trying to get into the safe, except during business hours.
Same concept as a time-lock, you can restrict when you allow connections to your machine at all.
Use a ‘just in time’ authentication method to only allow your host to be connected to the device, when you need it.
On Microsoft Azure, look up ‘just in time’ authentication for this service.

Here is some data I found in the auth.log file. This file shows valid and invalid connection attempts. I sorted this file using several unix commands. It was found with unix commands looking at auth.log file.  Cmd was as follows:

grep ‘invalid user’ auth.log.1 | awk ‘{print $13}’ | sort -n -r | uniq -c >  out19_cc.txt”

Here is the attack data. In little less than a week (six day), some statistics on this host:

20 seconds. The host was hacked about every 20 seconds.

25,375 connections. A total of 25,375 connection requests in these period.

2023 different and unique ip addresses try to connect

38 tries. Each IP address tried an average of 38 times to connect (usually using different passwords)

5014 different usernames. The system was given 5014 different, invalid usernames.

2663 usernames were used more than once.

738 usernames were used more than ten (10) times. The list of those usernames (not including ROOT) are below that tried to SSH to this machine:

Two columns. First, the number of times using that username. Next column, is the username attempted.

10 zb
10 yw
10 yo
10 wx
10 wc
10 wb
10 vg
10 vf
10 ue
10 ts3server
10 testftp
10 te
10 students
10 storm
10 service
10 sd
10 rw
10 ru
10 ro
10 rl
10 rj
10 qt
10 qr
10 qa
10 ov
10 nginx
10 ng
10 nf
10 nexus
10 na
10 mh
10 lm
10 le
10 kv
10 ku
10 kf
10 kevin
10 kafka
10 jz
10 jt
10 jk
10 jd
10 jboss
10 iq
10 ih
10 hp
10 hl
10 fn
10 ez
10 et
10 ek
10 ei
10 dw
10 da
10 cy
10 cr
10 cl
10 chris
10 cg
10 ce
10 br
10 aw
11 zu
11 zg
11 zc
11 ys
11 ye
11 yc
11 xx
11 xm
11 xi
11 xc
11 wpyan
11 wj
11 vt
11 vk
11 vh
11 tu
11 tc
11 sk
11 sf
11 rt
11 rq
11 qm
11 qi
11 qg
11 qd
11 px
11 pu
11 po
11 pl
11 pe
11 pb
11 ox
11 oq
11 on
11 ob
11 node
11 ly
11 lq
11 ll
11 kt
11 kh
11 jv
11 jg
11 ir
11 ia
11 hk
11 he
11 hd
11 gz
11 gmodserver
11 gk
11 gi
11 gd
11 fu
11 eu
11 er
11 ep
11 dy
11 df
11 deployer
11 cz
11 cx
11 cp
11 confluence
11 cj
11 au
11 asterisk
11 aq
11 ad
12 yy
12 yg
12 xz
12 xp
12 xh
12 xe
12 xbmc
12 xb
12 wv
12 wt
12 wd
12 vyatta
12 vy
12 vv
12 vmail
12 vm
12 vb
12 ut
12 ui
12 tz
12 tx
12 tk
12 td
12 sz
12 st
12 ss
12 sr
12 speech-dispatcher
12 rp
12 robert
12 qw
12 qv
12 qs
12 qo
12 qn
12 py
12 ps
12 ph
12 pf
12 pd
12 oj
12 oi
12 nh
12 nc
12 ls
12 lc
12 kp
12 kl
12 kj
12 ki
12 jo
12 jj
12 is
12 il
12 hv
12 hu
12 hj
12 gx
12 go
12 ey
12 ex
12 eq
12 ec2-user
12 ea
12 dx
12 dh
12 dg
12 ct
12 csgoserver
12 by
12 bn
12 aj
12 ah
12 adm
12 ab
13 zw
13 zr
13 yq
13 ym
13 xy
13 xo
13 xl
13 wr
13 ve
13 vd
13 ux
13 uv
13 tr
13 th
13 temp
13 sx
13 sv
13 sq
13 so
13 rs
13 qu
13 pz
13 pv
13 pt
13 pp
13 oo
13 og
13 oe
13 od
13 ny
13 nb
13 mv
13 mk
13 mb
13 m
13 lw
13 lu
13 kz
13 kr
13 kq
13 jx
13 jh
13 ja
13 im
13 ik
13 ie
13 hh
13 hb
13 fv
13 ft
13 fq
13 fd
13 fb
13 eb
13 dt
13 ds
13 dn
13 dl
13 dk
13 dj
13 de
13 dc
13 cpanelphpmyadmin
13 cc
13 bu
13 bo
13 bl
13 bg
13 al
13 ag
14 zy
14 zs
14 zl
14 zj
14 yh
14 xk
14 xd
14 wi
14 vi
14 uy
14 um
14 uj
14 uc
14 ty
14 tv
14 tt
14 toor
14 tn
14 stackato
14 sinusbot
14 si
14 sconsole
14 sb
14 sansforensics
14 sans
14 samurai
14 rh
14 ra
14 qj
14 qh
14 qe
14 qc
14 pyimagesearch
14 pq
14 pn
14 plexuser
14 pk
14 oy
14 ow
14 osboxes
14 osbash
14 openhabian
14 om
14 nv
14 nq
14 nexthink
14 netscreen
14 NetLinx
14 nao
14 myshake
14 my
14 mt
14 misp
14 maint
14 mailman
14 m202
14 lt
14 localadmin
14 lg
14 ld
14 la
14 kx
14 kw
14 ju
14 js
14 jr
14 if
14 id
14 hz
14 hy
14 hxeadm
14 hq
14 ho
14 hg
14 hduser
14 hacker
14 gu
14 gh
14 fw
14 fl
14 fe
14 daniel
14 cw
14 cu
14 cq
14 cirros
14 bi
14 bb
14 ax
14 as
15 zi
15 yl
15 xv
15 wy
15 wk
15 wf
15 vs
15 vo
15 ts3bot
15 sl
15 se
15 rz
15 redmine
15 ql
15 qk
15 pc
15 ou
15 of
15 oc
15 nt
15 mr
15 michael
15 mg
15 ma
15 lx
15 lb
15 ks
15 kc
15 ka
15 jw
15 iy
15 iw
15 informix
15 info
15 hunter
15 ht
15 hn
15 hf
15 gn
15 ethos
15 eh
15 ed
15 dz
15 dr
15 do
15 device
15 dd
15 david
15 cloudera
15 ch
15 bw
15 bs
15 bj
15 ay
15 ao
15 ac
15 aa
16 zp
16 ze
16 za
16 yt
16 yd
16 xa
16 ww
16 wg
16 vx
16 vq
16 vps
16 vl
16 va
16 uu
16 uploader
16 uk
16 uf
16 tm
16 tg
16 ta
16 sh
16 sg
16 s
16 ry
16 rk
16 rg
16 re
16 q
16 pm
16 or
16 nn
16 nj
16 ms
16 mo
16 mn
16 mm
16 kn
16 k
16 jf
16 hs
16 gm
16 fa
16 ec
16 docker
16 ci
16 bv
16 bf
16 be
16 ba
16 am
16 ai
17 zd
17 yx
17 yv
17 yf
17 xu
17 wl
17 wh
17 vr
17 uz
17 up
17 uh
17 ub
17 tl
17 system
17 sw
17 su
17 steam
17 solr
17 sc
17 rf
17 qx
17 ok
17 oh
17 no
17 nl
17 nk
17 mi
17 me
17 jb
17 j
17 gl
17 gb
17 el
17 ef
17 dp
17 cs
17 cm
17 cd
17 cb
17 ca
17 c
17 bt
17 bm
17 ak
18 zx
18 yj
18 wu
18 we
18 vw
18 vu
18 vc
18 v
18 uw
18 un
18 ti
18 tf
18 telecomadmin
18 rx
18 rv
18 qy
18 qf
18 qb
18 pa
18 oz
18 os
18 nx
18 nw
18 mx
18 mu
18 lo
18 lj
18 ko
18 km
18 ii
18 hr
18 gitlab-runner
18 fy
18 ftp
18 es
18 eo
18 contador
18 bd
19 zk
19 zf
19 yb
19 y
19 xf
19 ws
19 uq
19 to
19 teste
19 redhat
19 r
19 prueba
19 leo
19 jq
19 jm
19 ix
19 iv
19 ic
19 gw
19 fk
19 fh
19 ff
19 ew
20 zv
20 zq
20 xt
20 xg
20 wq
20 wp
20 us
20 ri
20 redis
20 profile1
20 pj
20 p
20 MikroTik
20 jp
20 jn
20 fr
20 fj
20 en
20 em
20 d
20 cisco
20 bx
21 ya
21 x
21 testing
21 qp
21 o
21 n
21 mp
21 minecraft
21 lk
21 li
21 kb
21 f
21 e
21 dq
21 developer
21 bq
21 bp
21 an
21 a
22 yn
22 yi
22 vnc
22 vn
22 vj
22 user3
22 stack
22 rd
22 rb
22 md
22 ip
22 gv
22 g
22 eg
22 bk
22 at
22 alex
23 yp
23 upload
23 ul
23 t
23 sm
23 rm
23 operator
23 oa
23 mw
23 mq
23 ml
23 iz
23 gq
23 gp
23 fc
23 ck
23 centos
23 bh
23 b
24 web1
24 wa
24 w
24 user01
24 tom
24 tech
24 rabbitmq
24 mc
24 h
24 ej
24 cv
24 ar
24 ap
24 admin1
25 z
25 uftp
25 tester
25 pr
25 john
26 user2
26 u
26 apache
27 svn
27 rr
27 public
27 ga
27 du
27 cssserver
28 user0
29 ts
29 teamspeak3
29 l
29 elastic
29 db2inst1
29 Administrator
30 xn
30 ftptest
31 webadmin
31 ftpadmin
31 elasticsearch
33 testuser
34 zabbix
34 vagrant
35 odoo
35 i
35 db
37 webmaster
39 dev
40 spark
41 weblogic
41 jira
44 web
48 tomcat
48 teamspeak
49 student
50 default
52 ts3
52 server
56 www
57 mysql
60 demo
67 jenkins
69 administrator
72 nagios
85 user1
85 support
85 debian
93 ubnt
100 pi
106 hadoop
110 guest
114 deploy
143 test2
144 for
156 usuario
164 git
172 test1
231 ftpuser
424 oracle
700 postgres
725 ubuntu
852 user
938 test
1276 admin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s