Security Incidents mailing list archives

ssh scans using username 'test' or 'oracle'?

From: Matt Zimmerman <mdz () csh rit edu>
Date: Thu, 2 May 2002 11:14:01 -0400

I have seen this twice now on two geographically, topologically and
administratively different systems.  The probe was slightly different, but
close enough to attract my attention.

May  1 14:08:15 box1 sshd[11762]: Failed none for illegal user test from 211.4.205.72 port 46827 ssh2
May  1 14:08:15 box1 sshd[11763]: Failed none for illegal user oracle from 211.4.205.72 port 46828 ssh2

May  1 23:04:37 box2 sshd[27428]: Failed password for illegal user test from 202.8.228.198 port 4338

Has anyone else seen probes of this sort recently?

-- 
 - mdz

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

ssh scans using username 'test' or 'oracle'? Matt Zimmerman (May 02)
- Re: ssh scans using username 'test' or 'oracle'? Will Aoki (May 02)
  - Re: ssh scans using username 'test' or 'oracle'? Matt Zimmerman (May 02)