| HN Mirror

[Sat Apr 13 05:30:31 2013] nevalidniipass [Sat Apr 13 05:30:34 2013] gfhjkm [Sat Apr 13 05:30:37 2013] gggggggg [Sat Apr 13 05:30:39 2013] ghbdtn [Sat Apr 13 05:30:41 2013] ghgftmn6 [Sat Apr 13 05:30:43 2013] ghghgh [Sat Apr 13 05:30:44 2013] ghjkju [Sat Apr 13 05:30:46 2013] ghjrdjcn [Sat Apr 13 05:30:48 2013] gjkzyjxr [Sat Apr 13 05:30:50 2013] globax123 [Sat Apr 13 05:30:52 2013] go0gle [Sat Apr 13 05:30:54 2013] go2fuck [Sat Apr 13 05:30:55 2013] gogogo [Sat Apr 13 05:30:57 2013] goldz [Sat Apr 13 05:30:59 2013] gthtw112 [Sat Apr 13 05:31:02 2013] guest [Sat Apr 13 05:31:05 2013] h69s9t [Sat Apr 13 05:31:07 2013] hackett [Sat Apr 13 05:31:08 2013] hal9000 [Sat Apr 13 05:31:10 2013] hazem200 [Sat Apr 13 05:31:12 2013] heccrbqh [Sat Apr 13 05:31:14 2013] herbie [Sat Apr 13 05:31:16 2013] hghgh [Sat Apr 13 05:31:18 2013] hhhh1 [Sat Apr 13 05:31:20 2013] hhhhhaaaaa [Sat Apr 13 05:31:21 2013] hockey [Sat Apr 13 05:31:23 2013] home555 [Sat Apr 13 05:31:25 2013] honda [Sat Apr 13 05:31:27 2013] htrdbtv [Sat Apr 13 05:31:29 2013] http [Sat Apr 13 05:31:31 2013] hycvibck [Sat Apr 13 05:31:33 2013] i_am [Sat Apr 13 05:31:35 2013] ib6ub9 [Sat Apr 13 05:31:37 2013] icing [Sat Apr 13 05:31:38 2013] icq123 [Sat Apr 13 05:31:40 2013] icqpass [Sat Apr 13 05:31:42 2013] if6was9 [Sat Apr 13 05:31:44 2013] ifhgtq79 [Sat Apr 13 05:31:46 2013] ifyfif [Sat Apr 13 05:31:48 2013] iiiiiiii [Sat Apr 13 05:31:50 2013] ikaihsot [Sat Apr 13 05:31:52 2013] il0vey0u [Sat Apr 13 05:31:54 2013] iloveaol [Sat Apr 13 05:31:56 2013] iloveu [Sat Apr 13 05:31:57 2013] iloveyou [Sat Apr 13 05:31:59 2013] inferno [Sat Apr 13 05:32:01 2013] infinity [Sat Apr 13 05:32:05 2013] infree [Sat Apr 13 05:32:08 2013] iof314 [Sat Apr 13 05:32:11 2013] jake4440 [Sat Apr 13 05:32:13 2013] jamie1 [Sat Apr 13 05:32:15 2013] janice [Sat Apr 13 05:32:16 2013] jay18birdman [Sat Apr 13 05:32:18 2013] jc5000 [Sat Apr 13 05:32:20 2013] jeffery [Sat Apr 13 05:32:22 2013] john1 [Sat Apr 13 05:32:24 2013] joomla [Sat Apr 13 05:32:26 2013] joshua [Sat Apr 13 05:32:27 2013] keys [Sat Apr 13 05:32:29 2013] kholmsk3 [Sat Apr 13 05:32:31 2013] kir11421 [Sat Apr 13 05:32:33 2013] kkkkkk [Sat Apr 13 05:32:35 2013] kngvhpg [Sat Apr 13 05:32:37 2013] ko#]|7sz [Sat Apr 13 05:32:39 2013] kxvq4k2d [Sat Apr 13 05:32:41 2013] laksmi [Sat Apr 13 05:32:42 2013] lefty [Sat Apr 13 05:32:44 2013] lex1977 [Sat Apr 13 05:32:46 2013] linux [Sat Apr 13 05:32:48 2013] lol [Sat Apr 13 05:32:50 2013] lol777 [Sat Apr 13 05:32:52 2013] lollol [Sat Apr 13 05:32:54 2013] lovelove [Sat Apr 13 05:32:55 2013] lucille2000 [Sat Apr 13 05:32:57 2013] lyxasgje [Sat Apr 13 05:32:59 2013] m@$ter [Sat Apr 13 05:33:02 2013] m@ster [Sat Apr 13 05:33:07 2013] m1911a1 [Sat Apr 13 05:33:11 2013] google [Sat Apr 13 05:33:13 2013] facebook [Sat Apr 13 05:33:15 2013] microsoft [Sat Apr 13 05:33:17 2013] obama [Sat Apr 13 05:33:18 2013] twitter [Sat Apr 13 05:33:20 2013] wp [Sat Apr 13 05:33:22 2013] wordpress [Sat Apr 13 05:33:24 2013] 060890 [Sat Apr 13 05:33:26 2013] 060891 [Sat Apr 13 05:33:28 2013] 060893 [Sat Apr 13 05:33:30 2013] 060988 [Sat Apr 13 05:33:32 2013] 060989

Yes, of course you're right, my mistake. Mainly I wanted to share some information and give examples of passwords.

Here are some more observations which I made during the last months:

Most of the time it seems that the attackers are using a list of popular passwords, the same passwords appear over and over again: 12345, qwerty, 1q2w3e4r, and so on.

Most of the time they try to login as "admin", "Admin", "administrator", "root" or the name of the domain or blog or a part of that name, for example omitting a ".com".

In the HTTP requests, the parameters "log" (for the user name) and "pwd" (for the password) are always transmitted, but the parameters "wp-submit=Log In" and "testcookie=1" are not always transmitted.

Many of these attacks do not transmit a user-agent field in the HTTP headers. Blocking the empty user-agent seems like a good idea to me.

These attacks look simple, but I guess that they are successful on a big number of sites.