ssh scans using username 'test' or 'oracle'?

From: Matt Zimmerman (mdzat_private)
Date: Thu May 02 2002 - 08:14:01 PDT

Next message: H C: "'rooted' NT/2K boxen?"

Previous message: Lance Spitzner: "Honeynet Project -> The Reverse Challenge"
Next in thread: Will Aoki: "Re: ssh scans using username 'test' or 'oracle'?"
Reply: Will Aoki: "Re: ssh scans using username 'test' or 'oracle'?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have seen this twice now on two geographically, topologically and
administratively different systems.  The probe was slightly different, but
close enough to attract my attention.

May  1 14:08:15 box1 sshd[11762]: Failed none for illegal user test from 211.4.205.72 port 46827 ssh2
May  1 14:08:15 box1 sshd[11763]: Failed none for illegal user oracle from 211.4.205.72 port 46828 ssh2

May  1 23:04:37 box2 sshd[27428]: Failed password for illegal user test from 202.8.228.198 port 4338

Has anyone else seen probes of this sort recently?

-- 
 - mdz

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "'rooted' NT/2K boxen?"
Previous message: Lance Spitzner: "Honeynet Project -> The Reverse Challenge"
Next in thread: Will Aoki: "Re: ssh scans using username 'test' or 'oracle'?"
Reply: Will Aoki: "Re: ssh scans using username 'test' or 'oracle'?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 02 2002 - 08:28:14 PDT