Airtell Router Scans, and Mislabeled usernames, (Wed, Aug 20th) SANS Internet Storm Center, InfoCON: green

August 20, 2025

Looking at new usernames collected by our Cowrie honeypots, you will first of all notice a number of HTTP headers. It is very common for attackers to scan for web servers on ports that are covered by our Telnet honeypots. The result is that HTTP request headers end up in our username and password database. 

Looking at new usernames collected by our Cowrie honeypots, you will first of all notice a number of HTTP headers. It is very common for attackers to scan for web servers on ports that are covered by our Telnet honeypots. The result is that HTTP request headers end up in our username and password database. 

This morning, I noticed another interestingly looking username: Airtel@123 [1]. We do see it used with “passwords” like root, otx, and itmuser.

A quick Google search confirmed that “Airtel@123” is the password, and the username is likely “admin”, which is not even in the list above. There is another odd thing the attacker may have overlooked here: Based on the documentation I could find, “Airtel@123” is not the telnet/ssh password for the Airtell Zerotouch router. Instead, it appears to be the Wifi default password. The login defaults to the less creative “admin”/”admin”.

And while we are at it, here are a few more “interesting but useful” usernames and passwords I have seen:

‘”username”' – Maybe someone parsing a random password list that was HTML encoded? Or someone trying to XSS our site?

echo ‘Connection established’ – no, it wasn’t. Likely a check to see if the login succeeded.

‘”root”‘ – even double quotes got escaped correctly. I still think this is more bad parsing of a username list, and not an XSS attack.

usernane “$oot” and password “$dmin”. Interesting… No idea if that will work, but anybody got any ideas why someone may try this?

For a full list of recent usernames, see https://isc.sans.edu/data/allsshusernames.html. Let me know if you spot anything interesting.

 

[1] https://isc.sans.edu/ssh_usernames.html?username=QWlydGVsQDEyMw%3D%3D


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. 

Read More

Share

In The News

Tech Jacks
Derrick Jackson is a IT Security Professional with over 10 years of experience in Cybersecurity, Risk, & Compliance and over 15 Years of Experience in Enterprise Information Technology

Leave A Reply


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.