ssh scans using username 'test' or 'oracle'?

From: Matt Zimmerman (mdzat_private)
Date: Thu May 02 2002 - 08:14:01 PDT

  • Next message: H C: "'rooted' NT/2K boxen?"

    I have seen this twice now on two geographically, topologically and
    administratively different systems.  The probe was slightly different, but
    close enough to attract my attention.
    May  1 14:08:15 box1 sshd[11762]: Failed none for illegal user test from port 46827 ssh2
    May  1 14:08:15 box1 sshd[11763]: Failed none for illegal user oracle from port 46828 ssh2
    May  1 23:04:37 box2 sshd[27428]: Failed password for illegal user test from port 4338
    Has anyone else seen probes of this sort recently?
     - mdz
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu May 02 2002 - 08:28:14 PDT