A few interesting and notable ssh/telnet usernames

    Published: 2025-07-06. Last Updated: 2025-07-06 15:29:31 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Just looked at our telnet/ssh honeypot data, and found some interesting new usernames that  attackers attempted to use:

    "notachancethisisreal"

    This username is likely used to detect Cowrie (and other) honeypots. Cowrie is often configured to accept logins randomly. No matter the username/password combination used, the login will succeed every few times. This is supposed to provide the illusion of a more "real" system, not just allowing some common default password, and not allowing each login to succeed. The password used with the username is "nopasswordforme73baby." Likely to pick a password that is highly unlikely to be used in a real system.

    Any login that succeeds with this username and password will indicate that the system is a honeypot. So far, we have only had 31 login attempts with this username and password, all on July 1st.

    "scadaadmin"

    The name says it: It looks like they are looking for SCADA systems. The password used with this username is "P@$$W0rd". The password has been used "forever" and is popular, but the username is new. 

    The username appears to be associated with "Rapid SCADA" systems, according to some AI results, but I was not able to confirm this in the manuals. Maybe just a hallucination. However, the default password is either 12345 or blank. They are looking for users who have tried to be more secure. I am not sure how they ended up with P@$$W0rd. They also appear to use "admin" and "12345" as default credentials. It isn't a serious SCADA system if it doesn't have simple default credentials like this.

    "gpu001", "gpu002"

    These appear to be common hostnames for network-accessible GPUs, but I wasn't able to confirm that these are actual usernames often used for these systems. But attackers are always out for more GPU/CPU power, so they may just give this a try hoping for the best. There are a few passwords that are used with these usernames, like '7777777', 'gpu001@2025', and '1111111'.

    See anything else that is new and interesting? Or have any insight into the three usernames I listed above? Let me know! (see contact link on the left).

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords: gpu scada ssh telnet
    0 comment(s)

      Comments

      Login here to join the discussion.


      Diary Archives