sshd: PAM pam_set_item: NULL pam handle passed

[Matt Zimmerman <mdz () csh rit edu>]

I got these just now, from OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8.  There is no
user smw on my system, and there never has been.  It doesn't look like there
was a compromise.  Otherwise, it looks like someone connecting to the wrong
IP address, but I have not seen this PAM error before.  Has anyone else seen
this kind of activity?

I am aware of the recent OpenSSH advisory (1:3.0.2p1-8 includes the patch),
but this doesn't appear to be related, as the activity is before the
(failed) authentication.

Mar  7 21:50:22 mizar sshd[15396]: PAM pam_set_item: NULL pam handle passed
Mar  7 21:50:22 mizar sshd[15396]: Failed rsa for illegal user smw from 132.205.121.51 port 64707
Mar  7 21:50:22 mizar sshd[15396]: Connection closed by 132.205.121.51
Mar  7 21:50:41 mizar sshd[15397]: PAM pam_set_item: NULL pam handle passed
Mar  7 21:50:41 mizar sshd[15397]: Failed rsa for illegal user smw from 132.205.121.51 port 64709
Mar  7 21:50:41 mizar sshd[15397]: Connection closed by 132.205.121.51
Mar  7 21:52:57 mizar sshd[15399]: PAM pam_set_item: NULL pam handle passed
Mar  7 21:52:57 mizar sshd[15399]: Failed rsa for illegal user smw from 132.205.121.51 port 64711
Mar  7 21:53:10 mizar sshd[15399]: Connection closed by 132.205.121.51

-- 
 - mdz

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com