What I can say is that, the person who was trying to access your honeypot was using a wordlist, albeit of bad quality because the wordlist contains a large degree of statistical randomness. For the most of us, passwords consist of dictionary words, so a good wordlist would contain that and permutations of it, not just gibberish. By the way, I've scouraged the internet for wordlists and I've seen entries with !...@#$%^&*( , !...@#$% , !...@#$ , !...@# and the others you've included.
--- On Thu, 1/14/10, [email protected] <[email protected]> wrote: > From: [email protected] <[email protected]> > Subject: [Full-disclosure] Looking at SSH scans passwords (honeypot analysis) > To: [email protected] > Date: Thursday, January 14, 2010, 10:49 PM > I just wrote a small analysis of the > SSH scans against our honeypots and one > thing that intrigued me are some of the passwords used in > the scans. > > You can see the article here: > http://blog.sucuri.net/2010/01/honeypot-analysis-looking-at-ssh-scans.html > > But what I am intrigued about are these passwords (bottom > of the > article). Some are very complex > and unique enough that I would guess they are used as > backdoors or > common access across > somewhere... Anyone have ideas or know where they are > used? > > # USER, PASS > 5 software, cvsroot > 5 soft123, sourceforge > 5 rosymdelfin, conautoveracruz > 1 root, tiganilaflorinteleorman > 1 belltrix, s...@r?_ene59p9e9rewr*katr > 1 tiganilaflorinteleorman, root > 1 morrigan, siamouziesw7unla70lafrl3t0l3frle4lu > 1 sadmin, &thecentercannothold& > 1 saddleman357, safe > 1 sachin, f9uthlavIaPhlawroEXi > 1 admin, b#5rum$ph!r!Keyufawre?a3r6 > 1 miquelfi, B|*Nsq|TO$~b > 1 root, an0th...@y > 1 admin, 63375312012a > 1 root, zEfrephaq5qAnedufrethekuW > 1 root, z1x2c3v4b5n6 > 1 root, xsw21qaz > 1 root, wiu2ludrlamoatiuTriu > 1 root, teiubescdartunumaiubestiasacahaidesaterminam > 1 root, siamouziesw7UNla70lafrl3t0l3frlE4lU > 1 root, rough46road15 > 1 root, fiatmx1q2w3e > 1 root, empire12 > 1 root, efKO1$4? > 1 root, eempire99 > 1 root, d3lt4f0rc3 > 1 root, celes3cat > 1 root, bleCroujouwLUswOEdrlAfo6w > 1 root, bUspamaxegEGuyU52PEt6estU > 1 root, an0th...@y > 1 root, admin321321 > 1 root, admin1 > 1 root, admin > 1 root, abcd1234 > 1 root, a1s2d3f4g5h6 > 1 root, WrIaRoeThIespOeh3AwriufLetiu7Tlu11u > 1 root, QT3CUCCj > 1 root, pr99*35a!ra-ewruv...@ratuk > 1 root, N6a4t4u8OEwiaW8i7HLaqLaki > 1 root, Liteon81 > 1 root, b_$aj3y3#ucraveve5e2...@p4 > 1 root, BP5FbGRr > 1 root, 63375312012a > 1 root, 1z2x3c4v5b6n > 1 root, 1qaz2wsx > 1 root, 1q2w3e4r5t6y > 1 root, 1q2w3e4r5t > 1 root, 1q2w3e4r > 1 root, 1a2s3d4f5g6hy > 1 root, +#SGU9&rbf-# > 1 root, !...@#$%^&*( > 1 root, !...@#$% > 1 root, !...@#$ > 1 root, !...@# > 1 root, +#sgu9&rbf-# > 1 root, )(*&^...@! > 1 root, &thecentercannothold& > 1 root, %5%7%4%5%1%4%8%7 > 1 news, $changeme$ > 1 $ passwd > 1 root, !...@#$%^&*() > 1 q16060502141279, q16060502141279 > 1 pr99*35a!ra-ewruv...@ratuk, admin > 1 n6a4t4u8oewiaw8i7hlaqlaki, root > 1 admin, miemleh9esplawriuthiewias > 1 admin, J34a47nu > 1 zefrephaq5qanedufrethekuw, sadmin > 1 zander, zechsmerquise88 > 1 root, zaxscd13524 > 1 zander, zechsmerquise88 > 1 yxwvutseqponmlkjihgfedcba, root > 1 yuneneli, z11060510412854 > 1 yourdotw, ip46262 > 1 xgridagent, xgridcontroller > 1 xj050i7bfa, root > 1 wriaroethiespoeh3awriufletiu7tlu11u, kjetter > 1 root, wolfiz0r@ > 1 admin, wolfiz0r@ > 1 root, wiu2ludrlamoatiutriu > 1 ups650cl, lbjlive > 1 root, unlocker > 1 u33977059, ubuntu > 1 u231006, u33977059 > 1 u208417, u231006 > 1 u207114, u208417 > 1 tyson, u207114 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
