[A few interesting and notable ssh/telnet usernames](/forums/diary/A+few+interesting+and+notable+sshtelnet+usernames/32080/)============================================================================================================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F32080 ‘Share on Facebook’)* [](http://twitter.com/share?text=A%20few%20interesting%20and%20notable%20ssh%2Ftelnet%20usernames&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F32080&via=SANS_ISC ‘Share on Twitter’) **Published** : 2025-07-06. **Last Updated** : 2025-07-06 15:29:31 UTC **by** [Johannes Ullrich](https://plus.google.com/101587262224166552564?rel=author) (Version: 1) [0 comment(s)](/diary/A+few+interesting+and+notable+sshtelnet+usernames/32080/#comments) Just looked at our telnet/ssh honeypot data, and found some interesting new usernames that attackers attempted to use:++**’`notachancethisisreal`’**++This username is likely used to detect Cowrie (and other) honeypots. Cowrie is often configured to accept logins randomly. No matter the username/password combination used, the login will succeed every few times. This is supposed to provide the illusion of a more ‘real’ system, not just allowing some common default password, and not allowing each login to succeed. The password used with the username is ‘[nopasswordforme73baby](https://isc.sans.edu/ssh_passwords.html?pw=bm9wYXNzd29yZGZvcm1lNzNiYWJ5)`.`’ Likely to pick a password that is highly unlikely to be used in a real system.Any login that succeeds with this username and password will indicate that the system is a honeypot. So far, we have only had 31 login attempts with this username and password, all on July 1st.++**`’scadaadmin’`**++The name says it: It looks like they are looking for SCADA systems. The password used with this username is ‘[P@$$W0rd](https://isc.sans.edu/ssh_passwords.html?pw=UEAkJFcwcmQ%3D)’. The password has been used ‘forever’ and is popular, but the username is new.The username appears to be associated with ‘Rapid SCADA’ systems, according to some AI results, but I was not able to confirm this in the manuals. Maybe just a hallucination. However, the default password is either 12345 or blank. They are looking for users who have tried to be more secure. I am not sure how they ended up with P@$$W0rd. They also appear to use ‘admin’ and ‘12345’ as default credentials. It isn’t a serious SCADA system if it doesn’t have simple default credentials like this.++**`’gpu001′, ‘gpu002’`**++These appear to be common hostnames for network-accessible GPUs, but I wasn’t able to confirm that these are actual usernames often used for these systems. But attackers are always out for more GPU/CPU power, so they may just give this a try hoping for the best. There are a few passwords that are used with these usernames, like ‘7777777’, ‘gpu001@2025’, and ‘1111111’.See anything else that is new and interesting? Or have any insight into the three usernames I listed above? Let me know! (see contact link on the left).— Johannes B. Ullrich, Ph.D. , Dean of Research, [SANS.edu](https://sans.edu) [Twitter](https://jbu.me/164)-| Keywords: [gpu](/tag.html?tag=gpu) [scada](/tag.html?tag=scada) [ssh](/tag.html?tag=ssh) [telnet](/tag.html?tag=telnet)[0 comment(s)](/diary/A+few+interesting+and+notable+sshtelnet+usernames/32080/#comments)
Related Tags:
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 221 – Utilities
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 22 – Utilities
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 325 – Chemical Manufacturing
NAICS: 51 – Information
Blog: SANS Internet Storm Center
Brute Force: Password Spraying
Associated Indicators: