From Christian Seifert’s “Analyzing malicious SSH login attempts” (SecurityFocus: 11 September 2006):
First, we analyzed the login names that were used on the login attempts. During the sample period, there were 2741 unique account names ranging from common first names, system account names, and common accounts to short alphabetical strings captured by the system logger. Of those, the 15 account names used most often are shown in Table 1. This table shows accounts that usually exist on a system (root, mysql), accounts that are likely to exist on a system (guest, test), as well as common first names (paul). Then Figure 1 shows the distribution of valid and invalid account names that were used.
Account Name Number of login attempts root 1049 admin 97 test 87 guest 40 mysql 31 info 30 oracle 27 postgres 27 testing 27 webmaster 27 paul 25 web 24 user 23 tester 22 pgsql 21 Table 1. Top 15 account names among 2741 attempts.
Next, we looked at the passwords used in the login attempts. The attackers tried a range of passwords with most of the account names. In total during our analysis, they attempted to access 2741 different accounts and used 3649 different passwords. Not all passwords were used with all accounts. The passwords ranged from account names, account names with number sequences, number sequences, and keyboard sequences (like ‘qwerty’). There were a few more complex passwords used with seemingly random letter and number sequences or common substitution passwords (like r00t or c@t@lin).
Table 2 shows the top 15 passwords used in malicious login attempts.
Password Number of login attempts 123456 331 Password 106 Admin 47 Test 46 111111 36 12345 34 administrator 28 Linux 23 Root 22 test123 22 1234 21 123 20 Mysql 19 Apache 18 Master 18 Table 2. Top 15 passwords attempted.