A recent article on SecurityFocus analyses the patterns in recent SSH login attacks.
Most of the results of this analysis were fairly unsuprising to anyone who runs a public-facing SSH server.
root and various other system-level accounts are prime targets for attack, despite the fact that any competent sysadmin will have disabled remote logins for these accounts. I personally have seen repeated attacks looking for account names like
The analaysis of passwords used is also not suprising, with simple strings of numbers ("123456" or "11111") or letters ("password" or "admin") being common. I remember one NT system …