n e u t r o n s t 4 r

"Hacking" attempts on this site

Tags: Random Shit

This server receives many brute force ssh login attempts per day. Many use common linux system user names like root, postgres, www and pi. A lot are also common surnames like Peter, Alex, Jack and Kim. This post is an attempt to make a midly interessting statistic from the data gathered. It shows that bots exist on the internet and that they try to find insufficiently secured servers. The accessing IPs are logged and their location was queried via geolocation-db.com (seems to be down now). This is of course not representative, because the location can be easily spoofed using a VPN and it is even very likely that malicious actors would use one to increase their anonymity on the internet. This has been done out of curiosity more than anything else and to test out the following tools:

Usernames
word cloud of tried ssh user names
Above: A word cloud of the one hundred most tried ssh user names on my server by hackers. For raw data, see table below.
Username Count
root1800
user326
test302
ubuntu295
postgres264
steam260
oracle253
guest201
ftpuser191
centos184
pi145
testuser112
es105
devops95
ansadmin95
ansible86
vagrant85
ftp81
hadoop79
www79
zjw79
halo79
tester77
esuser75
dmdba73
emqx66
dockeradmin64
posiflex62
jenkins50
dev50
elastic46
web40
33
student32
ubnt32
teamspeak31
minecraft28
deploy27
mc23
support23
deployer22
casadiagnosis22
ts322
a21
bot21
discord20
debian20
blank17
116
linux16
dspace16
linaro15
ts3server15
systems15
notes15
carlos15
q14
mcserver14
fa14
bitrix13
mailadmin12
discordbot12
Test11
openhabian10
server10
Root10
alex10
moxa10
hello9
config9
unknown9
odoo159
tomcat8
test18
teamspeak38
User8
testuser27
subbu7
nvidia6
ops6
nagios6
sonar6
prueba6
teste5
admin15
hduser5
ankush5
default5
ftptest5
account35
sammy5
weblogic5
daenon5
administrator5
ftpuser25
user15
python4
gitlab4
vm4
craft4
odoo4
account4
hari4
sysadmin4
hd16x054
mike4
cloud4
vion4
hans4
vnc4
info4
naveen4
work4
data3
lisi3
beta3
kim3
ben3
acserver3
elk3
dashboard3
Admin3
ftpadmin3
azureuser3
Alex3
igor3
usuario3
db3
jeus3
andrek3
daniel3
sinusbot3
zabbix3
tim3
administrador3
account23
username3
pub3
jack3
hd16pt073
jessica3
newuser3
manager3
testing3
devuser2
marcelo2
cs2
sofia2
yy2
mqm2
station32
usr2
moises2
bharat2
tir2
ww2
polaris2
james2
ventas2
nginx2
karen2
admin1232
edge2
kk2
ftp_test2
soa2
ana2
make2
builder2
online2
splunk2
service2
process2
kiosk2
export2
jason2
tina2
rustserver2
hpcadmin2
webadmin2
dummy2
help2
rahul2
boss2
henry2
musikbot2
vbox2
pramod2
english2
insightvm2
ts2
sinus2
gokul2
jimmy2
portal2
start2
toor2
peuser2
ly2
Administrator2
king2
gtekautomation2
g2
hostinger2
jupyter2
samir2
sam2
joseph2
li2
dpu2
wyl2
ghost2
frappe2
maestro2
eng2
sherry2
user22
sybase2
dvd2
developer2
spotlight2
delta2
chimsen2
chris2
m12
conta2
build2
julio2
workflow2
dalia2
sample2
master2
john2
casa2
rob2
ansuser2
x2
neo4j2
wke2
grid2
bill2
orangepi2
network2
Guest2
webmaster2
account12
tom2
peter2
thomas2
user72
vpn2
eagle2
uftp2
usuario12
deamon2
abc2
iii2
jboss2
kevin2
calendar2
anthony2
eirik2
marek2
station62
afp2
mapr2
temp2
gordon2
facebook2
teacher12
ahmed2
James2
martine2
jump2
hermann2
user022
incoming2
felins2
userftp2
moodle2
erika2
test1232
edward2
michael2
marin2
eddie2
amit2
t2
osm2
mohammad2
arkserver2
wordpress2
demo2
docker2
csgoserver2
lls2
lisa2
yg1
hywang1
utils1
csserver1
sme1
webster1
imobilis1
hd15pt051
knp1
lorenzo1
wc1
valli1
agata1
mysql_admin1
sampath1
hy1
ebf1
sadegh1
nominatim1
gts1
hsi1
student041
me1
netgear1
java1
mongodb1
drone1
grq1
ds1
sso1
ark1
salman1
aan1
spr1
sansforensics1
winer1
cheryl1
royal1
root011
tmhttpd1
uwsgi1
aa1
u1
loguser1
uploader1
dasusr11
wp1
manal1
melissa1
zengzheni1
dave1
zhu1
med1
impala1
exx1
camera1
chia1
wjz1
argo1
tally1
wetserver1
wsx1
wesley1
adi1
kenny1
patrick1
mxintadm1
aziz1
cc1
citrixuser1
njk1
vitor1
user131
zimbra1
stu1
asd1
odoo81
jean1
testtest1
itu1
nz1
fuzihao1
vps1
botuser1
jay1
leo1
tomcat21
comercial1
juan1
sandra1
javed1
hq1
pab1
xsw1
ot2022g1
Pamela1
sjj1
ts21
tiago1
lanou1
flora1
apple1
zyx1
zr1
tmf1
liying1
xunjian1
burninuser1
tdc1
yangjun1
ucp1
maxime1
linuxtest1
thj1
kubernetes1
pavan1
vfi1
raj1
dbadmin1
aud1
song1
austin1
lft1
olv1
north1
sarah1
hxeadm1
jember1
transfer1
neeraj1
socket1
zxin101
public1
angelica1
spread1
dpt1
robo1
mwb1
qy1
forge1
vk1
fleet1
yiling1
apollo1
pradeep1
tr1
hd15pw011
ovhuser1
yarn1
lbs1
11111
rancher1
balaji1
jan1
dhn1
pop1
nils1
le1
bea1
users1
init1
bmf1
tileserver1
user221
plano1
big1
svn1
ira1
indra1
celia1
canal1
jira1
ctrls1
marcio1
laurent1
oleg1
albert1
linz11141
yosa1
gabriel1
uzivatel1
alberto1
1231
fmaster1
pty1
chester1
yan1
alfonso1
dbseller1
fujita1
valeria1
juliana1
lfs1
media1
cpanel1
orlando1
sudo1
fastuser1
bh1
milton1
nifi1
alfa1
cesar1
cat1
lry1
henk1
light1
zhouh1
hugo1
xufang1
px1
intel1
tiger1
tomcat81
niv1
elasticsearch1
mcserv1
student81
registry1
browser1
app1
wizard1
sunday1
syslog1
ts3sv1
VM1
lin1
kelvin1
ob1
fff1
markus1
anirudh1
elasticuser1
ps1
bm38711
pip1
zlg1
sdtdserver1
sispac1
baum1
pbe1
contact1
sophia1
ts3server11
tommy1
pwrchute1
svnroot1
gamemaster1
wasadmin1
kg1
pruebasfe1
user011
ada1
lucia1
xavier1
mathew1
Redistoor1
ctf1
max1
hf1
silver1
ac1
bso1
webhost1
wfp1
pio1
mailroom1
johnson1
rohan1
fiscal1
owncloud1
fgt1
zhangjinyang1
Alex11
noa1
webadm1
andy1
pig1
red1
sunny1
jj1
nrg1
rock1
stefan1
servis1
adminstrator1
rebecca1
pyy1
jlopez1
kub1
bootcamp1
hd19x051
kelly1
sapaccount1
profe1
composer1
suraj1
platform1
erp1
user1001
debora1
space1
george1
zhongfu1
mihai1
stack1
lib1
sip1
lw1
adam1
aiden1
user81
macintosh1
tqm1
osboxes1
alvin1
operador1
terrariaserver1
otto1
mine1
ld1
hdfs1
sara1
dsadm1
oc1
jinzhenj1
rf1
ncc1
tryton1
guest21
tuser1
cynthia1
frp1
philip1
gbase1
mangesh1
lucas1
reza1
dst1
ljw1
barbara1
dp1
cv1
da1adm1
amssys1
supervisor1
qdx1
dreamer1
redis1
isha1
ego1
ako1
sklad1
mycat1
orion1
221
12341
vilma1
claudio1
kana1
zz1
idc1
xd1
ode1
carbon1
hexing1
vladimir1
sawada1
marcela1
tigergraph1
sky1
cptuser1
jenny1
test21
user151
md1
hanna1
html1
radioserver1
gaurav1
ilog1
steve1
auser1
alt1
cyril1
mcguitaruser1
benjamin1
gb1
sftp1
zw1
apache1
gerencia1
isaac1
lukas1
ddd1
zav1
william1
Christopher1
bitnami1
spider1
training1
mysql_public1
lsh1
lois1
hooman1
hospital1
demos1
ll1
rolf1
dino1
joao1
jp1
zqy1
techuser1
ktw1
logout1
anna1
asterisk1
vikram1
rn1
rundeck1
sml1
pwn1
leonard1
jqu1
miller1
hh1
sdr1
gpadmin1
xia1
webapps1
marge1
haldaemon1
giovanni1
student91
tomas1
flow1
upload1
nn1
harold1
mailuser1
chendong1
adminuser1
postgresadm1
kernel1
lxd1
rlk1
zhan1
pal1
films1
cloud_user1
vegeta1
bert1
meeting1
tech1
yamamoto1
anand1
jperez1
water1
raspberrypi1
vic1
potato1
syn1
fyc1
pam1
jb1
line1
acs1
factorio1
wolfgang1
nikhil1
sqoop1
xuh1
nodeproxy1
r1
ftp11
alfred1
wl1
ircd1
rtc1
fabian1
ebs1
hg1
mmm1
aris1
techadmin1
richard1
pto1
iot1
magento1
gambaa1
micha1
cib1
chenyusheng1
anais1
pratik1
ent1
ftptest11
bvm1
zsy1
t7adm1
petra1
siteadmin1
dss1
adm1
suresh1
marcin1
quantum1
martin1
taiwan1
kali1
clovis1
acme1
test011
newuser11
bluecat1
fno1
demon1
stream1
xh1
zhou1
21
chn1
virl1
vmc1
nexus1
glen1
harry1
sun1
yzf1
reuniao1
ksw1
kvg1
ssld1
sts1
jm1
adminrig1
ppps1
ankur1
gis1
manish1
m1
invitado1
tsh1
vdc1
cubrid1
database1
sandeep1
ares1
cathy1
hjb1
geral1
student071
blog1
rpc1
sx1
ela1
krishna1
tavi1
olga1
yoshiaki1
AHMEDYA1
oscar1
huangwei1
multimedia1
myftp1
kang1
ncs1
dell1
js1
bungee1
zzh1
vpnuser1
dolly1
bob1
user051
marlon1
beginner1
adis1
joe1
sonarqube1
maxim1
xpp1
vsftpd1
csxm1
hps1
siva1
eg1
zf1
jht1
helpdesk1
kopp1
etserver1
yhuser1
LKepler1
panel1
baidu1
sham1
mgm1
gj1
daniela1
easy1
password1
thiago1
lxj1
administrateur1
ryder1
toni1
ed1
guest011
kv1
shaman1
osmc1
diandra1
rforlu1
hybris1
gast1
oms1
erica1
recepcja1
amir1
zzr1
shinken1
isabelle1
kalista1
phpmyadmin1
broadcast1
sistema1
de1
fuho1
user61
liuhao1
mc11
mob1
eric1
aperez1
mark1
reginaldo1
michel1
tanya1
prueba11
sftpuser1
onkar1
felix1
user51
laptop1
xiang1
ftpUser1
ning1
dm1
uk1
chenj1
z1
megha1
olx1
otrs1
minecraftserver1
signa1
ix1
RPM1
robson1
dqq1
dd1
christine1
wilma1
sFTPUser1
delgado1
zheng1
localadmin1
cxl1
xxs1
fmy1
external1
lan1
wei1
wlb1
arnaud1
021
arun1
owner1
camille1
httpfs1
pyramid1
xc1
mitzi1
kiran1
mysqladmin1
kobayashi1
eh1
yoon1
sunil1
ram1
nas1
idea1
silvia1
andrey1
pvserver1
fileshare1
ms1
sda1
rocco1
chan1
chimistry1
globe1
ppp1
cliente1
ur1
zhouying1
praveen1
oota1
caja21
kinder1
qt1
video1
takamatsu1
react1
login1
mj1
s1
skynet1
bun1
elisa1
shiyu1
biqu1
fast1
keller1
liu1
orca1
jesus1
dice1
lara1
comunica1
ali1
csgo1
ph1
fpf1
client1
lxh1
gmodserver1
david1
lgx1
kirk1
teste11
wangli1
share1
bk1
CISCO1
imc1
flex1
julia1
bbs1
wlh1
next1
cristian1
vod1
vendas1
rkb1
itadmin1
admins1
testsftp1
dani1
natalie1
sbo1
dietpi1
drake1
az1
uzi1
yuchen1
agenda1
zero1
hl1
informix1
labor1
csx1
csp1
gdb1
dcmtk1
yuzhen1
a81
xujun1
pp1
jsu1
vmware1
rnc1
ns1
soporte1
redmine1
marketing1
alg1
user0021
juliet1
samba1
images1
liwei1
pentaho1
monique1
django1
lab51
interview1
antoine1
zhangbo1
quange1
mali1
r1soft1
ping1
sidney1
pdf1
ken1
mac1
front1
vmuser1
odl1
marconi1
swapnil1
zzy1
ptj1
jesse1
nadir1
platinum1
id1
cperez1
memcached1
hynexus1
nti1
patricia1
bala1
peng1
best1
wkx1
7days1
shen1
icinga1
zan1
linuxadmin1
nitin1
abel1
rhea1
vivek1
tst1
mobile1
prashant1
odoo111
suser1
ajeet1
test71
andrei1
acct1
test91
noaccess1
zj1
store1
linkxess1
aaron1
paramita1
ht1
mos1
miguel1
user211
wt1
worker1
priv_user1
aravind1
wink1
zy1
cvs1
diz1
vv1
yuk1
rex1
pc1
infra1
mailman1
raul1
visitante1
otsmanager1
xo1
gisela1
user031
ankit1
hr1
cstrike1
contabilidad1
hostmaster1
pbb1
ts3bot1
pokemon1
xiaowei1
openstack1
vodafone1
xxx1
lyc1
tmax1
rvw1
suporte1
sav1
wcc1
ludo1
idempiere1
teste21
chad1
johan1
mani1
zhl1
wialon1
lixiao1
center1
postgres11
aml1
beyndtrust_adm1
yhlee1
dan1
root11
leonardo1
polycom1
nelson1
site1
kafka1
sa1
market1
princess1
plm1
zxc1
hasan1
amano1
shane1
ar1
marius1
bsnl1
mahesh1
yassine1
cma1
magento_user1
bhd1
mis1
Minecraft1
christian1
piotr1
ymx1
scv1
homes1
cm1
ibk1
archiver1
dockerman1
robin1
yzy1
bcdig1
mahendra1
atom1
edison1
eswar1
ijq1
miner1
tool1
liming1
mickey1
shop1
wmf1
zyb1
trading1
n1
tams1
escaner1
mary1
ec2user1
fb1
core1
asi1
zhaoxu1
aef1
teacher1
xfy1
craig1
demouser1
edu011
liferay1
vada1
gc1
faberj1
urbackup1
kgd1
zg1
jaw1
joey1
dylan1
h1
aldo1
oper1
khalesi1
remote1
vijay1
mne1
esadm11
nux1
masha1
titan1
fabio1
szw1
sshproxy1
mingdong1
jake1
local1
telegram1
jacky1
ika1
ccc1
nigger1
wing1
operation1
vaibhav1
viewer1
francesco1
gerrit21
cardpro1
cy1
ins1
drm1
yangningxin1
juntasi1
ethos1
mdb1
nat1
bb1
luke1
ccook1
laboratory1
joneill1
aura1
abi1
darrell1
vyatta1
vsx1
liwen1
dash1
oozie1
sonic1
mosquitto1
tsserver1
sysop1
paul1
Countries of Origin
word cloud of tried ssh user names
Above: A word cloud of countries of origin of login attempts. For raw data, see table below.
Country Count
United States281
China185
Russia176
Singapore62
Japan58
Germany48
India41
South Korea40
Brazil38
United Kingdom34
Not found31
Hong Kong30
Vietnam28
Indonesia22
Netherlands20
France19
Colombia19
Argentina15
Mexico14
Thailand10
Italy9
Tunisia9
Malaysia7
Canada7
Poland6
Taiwan6
Israel6
Ukraine5
Uruguay5
Belarus5
Peru5
Philippines5
Bulgaria4
Uzbekistan4
Iran4
Ethiopia4
Greece4
Bolivia4
Hungary4
Portugal3
Kazakhstan3
Uganda3
Venezuela3
South Africa3
Spain3
Pakistan3
Ecuador3
Australia3
Egypt2
Slovakia2
Bahrain2
Bangladesh2
Croatia2
Switzerland2
Ireland2
Republic of Lithuania2
Chile2
Turkey2
Guatemala2
Paraguay2
Sri Lanka2
Myanmar1
Latvia1
Finland1
Czechia1
United Arab Emirates1
Oman1
Mauritius1
Macao1
Namibia1
Ivory Coast1
Kyrgyzstan1
Zimbabwe1
Nepal1
Romania1
Réunion1
Hashemite Kingdom of Jordan1
Niger1
Kenya1
Luxembourg1
None1
Sweden1
Mongolia1
Port Distribution

Standard port for ssh is 22 for incoming connections. Outbound the ssh client chooses an ephemeral port, but these do not seem to be equally distributed. The graphic below shows the port distribution for outbound connections used by attackers.

Synopsis: