I just wrote a small analysis of the SSH scans against our honeypots and one thing that intrigued me are some of the passwords used in the scans.
You can see the article here: http://blog.sucuri.net/2010/01/honeypot-analysis-looking-at-ssh-scans.html But what I am intrigued about are these passwords (bottom of the article). Some are very complex and unique enough that I would guess they are used as backdoors or common access across somewhere... Anyone have ideas or know where they are used? # USER, PASS 5 software, cvsroot 5 soft123, sourceforge 5 rosymdelfin, conautoveracruz 1 root, tiganilaflorinteleorman 1 belltrix, s...@r?_ene59p9e9rewr*katr 1 tiganilaflorinteleorman, root 1 morrigan, siamouziesw7unla70lafrl3t0l3frle4lu 1 sadmin, &thecentercannothold& 1 saddleman357, safe 1 sachin, f9uthlavIaPhlawroEXi 1 admin, b#5rum$ph!r!Keyufawre?a3r6 1 miquelfi, B|*Nsq|TO$~b 1 root, an0th...@y 1 admin, 63375312012a 1 root, zEfrephaq5qAnedufrethekuW 1 root, z1x2c3v4b5n6 1 root, xsw21qaz 1 root, wiu2ludrlamoatiuTriu 1 root, teiubescdartunumaiubestiasacahaidesaterminam 1 root, siamouziesw7UNla70lafrl3t0l3frlE4lU 1 root, rough46road15 1 root, fiatmx1q2w3e 1 root, empire12 1 root, efKO1$4? 1 root, eempire99 1 root, d3lt4f0rc3 1 root, celes3cat 1 root, bleCroujouwLUswOEdrlAfo6w 1 root, bUspamaxegEGuyU52PEt6estU 1 root, an0th...@y 1 root, admin321321 1 root, admin1 1 root, admin 1 root, abcd1234 1 root, a1s2d3f4g5h6 1 root, WrIaRoeThIespOeh3AwriufLetiu7Tlu11u 1 root, QT3CUCCj 1 root, pr99*35a!ra-ewruv...@ratuk 1 root, N6a4t4u8OEwiaW8i7HLaqLaki 1 root, Liteon81 1 root, b_$aj3y3#ucraveve5e2...@p4 1 root, BP5FbGRr 1 root, 63375312012a 1 root, 1z2x3c4v5b6n 1 root, 1qaz2wsx 1 root, 1q2w3e4r5t6y 1 root, 1q2w3e4r5t 1 root, 1q2w3e4r 1 root, 1a2s3d4f5g6hy 1 root, +#SGU9&rbf-# 1 root, !...@#$%^&*( 1 root, !...@#$% 1 root, !...@#$ 1 root, !...@# 1 root, +#sgu9&rbf-# 1 root, )(*&^...@! 1 root, &thecentercannothold& 1 root, %5%7%4%5%1%4%8%7 1 news, $changeme$ 1 $ passwd 1 root, !...@#$%^&*() 1 q16060502141279, q16060502141279 1 pr99*35a!ra-ewruv...@ratuk, admin 1 n6a4t4u8oewiaw8i7hlaqlaki, root 1 admin, miemleh9esplawriuthiewias 1 admin, J34a47nu 1 zefrephaq5qanedufrethekuw, sadmin 1 zander, zechsmerquise88 1 root, zaxscd13524 1 zander, zechsmerquise88 1 yxwvutseqponmlkjihgfedcba, root 1 yuneneli, z11060510412854 1 yourdotw, ip46262 1 xgridagent, xgridcontroller 1 xj050i7bfa, root 1 wriaroethiespoeh3awriufletiu7tlu11u, kjetter 1 root, wolfiz0r@ 1 admin, wolfiz0r@ 1 root, wiu2ludrlamoatiutriu 1 ups650cl, lbjlive 1 root, unlocker 1 u33977059, ubuntu 1 u231006, u33977059 1 u208417, u231006 1 u207114, u208417 1 tyson, u207114 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/