Security Incidents mailing list archives
Re: ssh scans using username 'test' or 'oracle'?
From: Matt Zimmerman <mdz () csh rit edu>
Date: Thu, 2 May 2002 16:39:54 -0400
On Thu, May 02, 2002 at 11:55:09AM -0600, Will Aoki wrote:
On Thu, May 02, 2002 at 11:14:01AM -0400, Matt Zimmerman wrote:I have seen this twice now on two geographically, topologically and administratively different systems. The probe was slightly different, but close enough to attract my attention. May 1 14:08:15 box1 sshd[11762]: Failed none for illegal user test from 211.4.205.72 port 46827 ssh2 May 1 14:08:15 box1 sshd[11763]: Failed none for illegal user oracle from 211.4.205.72 port 46828 ssh2 May 1 23:04:37 box2 sshd[27428]: Failed password for illegal user test from 202.8.228.198 port 4338 Has anyone else seen probes of this sort recently?Something like this was reported on the debian-security mailing list back in March, in: http://lists.debian.org/debian-security/2002/debian-security-200203/msg00216.htmlFrom the timestamps, it's probably automated, but from a Google search,I don't think that the tool responsible is in widespread use or distributed publicly. I don't have apropriate logs, but I'm guessing that it's trying empty passwords and/or 'test' and 'oracle' for users 'test' and 'oracle'.
Thanks for the pointer. I have since learned that others have seen similar activity matching both patterns ('test' and 'oracle' together, and 'test' by itself). There have been systems compromised, apparently by this tool, and there may be related tool which is only searching for already-compromised systems.
Your post reminded me of a similar incident I saw at another site, where someone tried (and failed) to guess passwords for users found with finger:
In these cases, the usernames tried were definitely hard-coded; in my case, there were no other services besides ssh open, and there had never been any such usernames anywhere at the sites involved. -- - mdz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- ssh scans using username 'test' or 'oracle'? Matt Zimmerman (May 02)
- Re: ssh scans using username 'test' or 'oracle'? Will Aoki (May 02)
- Re: ssh scans using username 'test' or 'oracle'? Matt Zimmerman (May 02)
- Re: ssh scans using username 'test' or 'oracle'? Will Aoki (May 02)