Add more suspicious usernames

Another possible username: "evex"

google for content with the title "evilevilingevils"

I wonder if it is better store these lists of known usernames in a central database that Drupalgeddon can check remotely each time it executes. That way we can update them without requiring Drupalgeddon users update their Drupalgeddon code. Thoughts?

Or a file? The only problem with a central database is proxies/firewalls, which can be a pain. It took an act of God to get some of our servers whitelisted to talk to drupal.org.

Alternatively a test to see if a later version is on drupal.org that reports can't check if it can't get to drupal.org? Could be patterned off the update manager code base.

Checking for newer versions and telling the user they should update first is an excellent idea. A "central database" can be a file hosted anywhere on the web, as long as it is secure. Another factor is that with either of these approaches, we can never really get ahead of attackers; They can just change the signatures/names.

That's a good idea, but +1 to just committing an additional entry for the new username in the interim.

We could easily do this, including a list of usernames in the download, and attempt to retrieve an updated copy from cgit.drupalcode.org (as we do in the suspicious files check already). That could be best of both worlds?

(Currently on mobile in a foreign lands.)

3 more from me:
* ghst
* fasd
* 4dm1n

I've come across a couple for 'Kkk1123'

wc846 didn't get caught by the latest version as of 2 hours ago.

It looks like attackers are now using random names. Keeping up with that is futile.