SANS Internet Storm Center - SANS.edu - Go Sentinels!
Common usernames submitted to honeypots https://i5c.us/d30188
Sep 5, 2023 at 12:31amWeb
Show threadrobert daniel pickardSep 5, 2023

@sans_isc could 345gs5662d34 be something like a 'radioactive dye’ to see how how a botmaster's network is being see from open security honeypots?

like the string is random enough that it's easy to identify in published data sets and feeds so someone running a bot network could get a sense of how their activity is being tracked?

i can't tell the difference in a dataset between my “root:root" attempt and someone else’s, but it's likely I’m the only one trying “345gs5662d34: 345gs5662d34”

Show threadLars FischerSep 5, 2023
@rdp @sans_isc I guess it is a form of honeypot-detection. And everyone is using the same malware-service
Show threadNemoSep 8, 2023
@rdp @sans_isc taken from the comments on the article, it's the keycode combination for "my password" on a Taiwanese keyboard.
Show threadrobert daniel pickardSep 8, 2023

@tagtraeumernemo @sans_isc interesting! I plugged it into a stingy decoder but nothing jumped out. Not that I know anything about Taiwanese keyboards.

Thanks for the clue!

https://dencode.com/en/string

String Encoder / Decoder, Converter Online - DenCode

String encoding and decoding converter. e.g. HTML Escape / URL Encoding / Quoted-printable / and many other formats!

DenCode
Show threadThorongilSep 8, 2023
@tagtraeumernemo @rdp @sans_isc unlikely, as I see a „p“ in it, ruling out the possibility of being hex code. And come on, no one would note down keycodes in number systems that include a „p“ 😂
Show threadThiloSep 8, 2023
@tagtraeumernemo @rdp @sans_isc Nope, the Taiwanese "my password" is "ji32k7au4a83" according to this article from 2019: https://www.theverge.com/tldr/2019/3/5/18252150/bad-password-security-data-breach-taiwan-ji32k7au4a83-have-i-been-pwned
ji32k7au4a83 is a surprisingly bad password

When you’re creating a new password for an account, it might prompt you to use numbers and letters, and avoid real words. So a password like 420DankMemes might be kind of weak while the password “ji32k7au4a83” might seem stronger. But surprisingly, that particular string of numbers and letters has appeared 141 times on the site Have I Been Pwned, where you can check if your info has been leaked in a data breach, as spotted by Gizmodo.

The Verge
Show threadNemoSep 8, 2023
@Pingu @rdp @sans_isc welp, took that comment on the article to be true. My bad.
Show threadFred_S_at (main)Sep 9, 2023
@rdp @sans_isc
Read from @heisec
https://www.heise.de/news/l-f-Das-raetselhafte-root-Passwort-9299197.html
l+f: Das rätselhafte root-Passwort

Das ISC hat auf Honeypots ausprobierte Benutzernamen und Passwörter veröffentlicht. Das am häufigsten genutzte root-Passwort gibt Rätsel auf.

heise online
Show threadLorKiefSep 8, 2023
@sans_isc Perhaps a hardcoded password somewhere?