Last week, I noticed a surge in scans for the username “t128”. This username, accompanied by the password “128tRoutes,” is a well-known default account for Juniper’s Session Smart Networking Platform (or “SSR” for “Session Smart Routing”). The username and password are a bit “odd”. Juniper acquired a company called “128 Technologies” a few years ago, and with this acquisition, integrated SSR into its product portfolio. But much of the product, including default usernames and passwords, remained unchanged. The documentation, including the default username and passwords, is still at 128technology.com [1].
The scans we observed lasted from March 23rd to 28th. About 3000 source IPs took part in these scans. Many of the sources taking part in the scan are well known for scanning SSH and are likely part of some “Mirai Type” botnet.
Double-check that you are not using the default password for the root or t128 account. Some older user questions suggest that changing the password is not always effective, or the process is not obvious [2].
[1] https://docs.128technology.com/docs/cc_fips_access_mgmt/
[2] https://community.juniper.net/discussion/admin-and-t128-users-remain-with-default-passwords-after-onboarding-to-conductor-thoughts
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.