Default usernames and passwords have always been a massive problem in IT. These days, the consumer technology that envelops the Internet of Things (IoT) has only made the problem larger.
Default credentials, which are ignored or too difficult for some people to change, behind the development of a botnet that took part in the largest DDoS attack on record.
The usernames and passwords below were used to enable the Mirai botnet, which is powered by IoT technology. The botnet hit Brian Krebs with traffic topping out at 620Gbps, but it's also been linked to a DDoS against OVH (799Gbps).
Mirai scans for telnet, and then uses the credentials below in an attempt to brute-force access to the device – which could be a camera, DVR, router, or other connected hardware.
The passwords come form the botnet's source code, which was released by the author last week. Note: There is a duplicate password in the source code. So while
scanner.c has 62 password lines to check, only 61 of them are unique combinations.
The botnet required at a minimum, two servers. However, Mirai's author said he hosted the botnet with two VPS accounts, one server to act as a C&C, and three servers to add additional load balancing.
At peak, the Mirai had nearly 400,000 devices connected to it from telnet scanning alone. After the attack on Brian Krebs, this shrank down to about 300,000, due to ISPs attempting to correct the easily obtained access.
Along with releasing the botnet source code, the author of Mirai also released detailed instructions for configuration and set-up.
So it won't be long before similar botnets start showing up on the Web.