Re: ssh scans using username 'test' or 'oracle'?

From: Matt Zimmerman (mdzat_private)
Date: Thu May 02 2002 - 13:39:54 PDT

Next message: Cody Hatch: "Re: 'rooted' NT/2K boxen?"

Previous message: William N. Zanatta: "Re: 'rooted' NT/2K boxen?"
In reply to: Will Aoki: "Re: ssh scans using username 'test' or 'oracle'?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 02, 2002 at 11:55:09AM -0600, Will Aoki wrote:

> On Thu, May 02, 2002 at 11:14:01AM -0400, Matt Zimmerman wrote:
> > I have seen this twice now on two geographically, topologically and
> > administratively different systems.  The probe was slightly different, but
> > close enough to attract my attention.
> > 
> > May  1 14:08:15 box1 sshd[11762]: Failed none for illegal user test from 211.4.205.72 port 46827 ssh2
> > May  1 14:08:15 box1 sshd[11763]: Failed none for illegal user oracle from 211.4.205.72 port 46828 ssh2
> > 
> > May  1 23:04:37 box2 sshd[27428]: Failed password for illegal user test from 202.8.228.198 port 4338
> > 
> > Has anyone else seen probes of this sort recently?
> 
> Something like this was reported on the debian-security mailing list
> back in March, in:
> 
> http://lists.debian.org/debian-security/2002/debian-security-200203/msg00216.html
> 
> >From the timestamps, it's probably automated, but from a Google search,
> I don't think that the tool responsible is in widespread use or
> distributed publicly. I don't have apropriate logs, but I'm guessing that
> it's trying empty passwords and/or 'test' and 'oracle' for users 'test'
> and 'oracle'.

Thanks for the pointer.  I have since learned that others have seen similar
activity matching both patterns ('test' and 'oracle' together, and 'test' by
itself).  There have been systems compromised, apparently by this tool, and
there may be related tool which is only searching for already-compromised
systems.

> Your post reminded me of a similar incident I saw at another site,
> where someone tried (and failed) to guess passwords for users found
> with finger:

In these cases, the usernames tried were definitely hard-coded; in my case,
there were no other services besides ssh open, and there had never been any
such usernames anywhere at the sites involved.

-- 
 - mdz

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Cody Hatch: "Re: 'rooted' NT/2K boxen?"
Previous message: William N. Zanatta: "Re: 'rooted' NT/2K boxen?"
In reply to: Will Aoki: "Re: ssh scans using username 'test' or 'oracle'?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 02 2002 - 14:38:48 PDT