Re: ssh scans using username 'test' or 'oracle'?

From: Matt Zimmerman (mdzat_private)
Date: Thu May 02 2002 - 13:39:54 PDT

  • Next message: Cody Hatch: "Re: 'rooted' NT/2K boxen?"

    On Thu, May 02, 2002 at 11:55:09AM -0600, Will Aoki wrote:
    > On Thu, May 02, 2002 at 11:14:01AM -0400, Matt Zimmerman wrote:
    > > I have seen this twice now on two geographically, topologically and
    > > administratively different systems.  The probe was slightly different, but
    > > close enough to attract my attention.
    > > 
    > > May  1 14:08:15 box1 sshd[11762]: Failed none for illegal user test from port 46827 ssh2
    > > May  1 14:08:15 box1 sshd[11763]: Failed none for illegal user oracle from port 46828 ssh2
    > > 
    > > May  1 23:04:37 box2 sshd[27428]: Failed password for illegal user test from port 4338
    > > 
    > > Has anyone else seen probes of this sort recently?
    > Something like this was reported on the debian-security mailing list
    > back in March, in:
    > >From the timestamps, it's probably automated, but from a Google search,
    > I don't think that the tool responsible is in widespread use or
    > distributed publicly. I don't have apropriate logs, but I'm guessing that
    > it's trying empty passwords and/or 'test' and 'oracle' for users 'test'
    > and 'oracle'.
    Thanks for the pointer.  I have since learned that others have seen similar
    activity matching both patterns ('test' and 'oracle' together, and 'test' by
    itself).  There have been systems compromised, apparently by this tool, and
    there may be related tool which is only searching for already-compromised
    > Your post reminded me of a similar incident I saw at another site,
    > where someone tried (and failed) to guess passwords for users found
    > with finger:
    In these cases, the usernames tried were definitely hard-coded; in my case,
    there were no other services besides ssh open, and there had never been any
    such usernames anywhere at the sites involved.
     - mdz
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu May 02 2002 - 14:38:48 PDT