I've had my WordPress honey pot, which contains a WSO honey pot, save all WSO login attempts for some years.
I've also saved some of the log files my WSO honey pot creates. These can contain passwords or login cookies.
This contains my aggregation of all the WSO passwords I can find in my data. I know this isn't all the common WSO passwords.
- timestamp, address, URL, password for all WSO passwords.
- MD5 hash of password, password. WSO instances use MD5 hash to compare offered to installed passwords.
- Top 20 WSO passwords in decreasing order of number of appearances, "root" most used.
I include the MD5 hash of passwords so that if someone else should happen to google for a password hash, possibly a search engine will show them. Not all of the hashes have a reverse on the web right now.
Remember that WSO instances typically use a cookie with name
md5($_SERVER['HTTP_HOST']) and value of MD5 hash of the password
to indicate "already logged in".
A decent proportion of WSO accesses initially arrive with such a cookie pre-set.
A few suprise passwords show up:
icq-661140760-wso-sell661140760-wso/admin-sell274113-wso-sell
It looks like maybe people with ICQ IDs of 661140760 and 274113 collect and sell WSO instances. This paste lists a number of such WSO instances from 2017.