Security Incidents mailing list archives
Re: ssh scans using username 'test' or 'oracle'?
From: Will Aoki <waoki () umnh utah edu>
Date: Thu, 2 May 2002 11:55:09 -0600
On Thu, May 02, 2002 at 11:14:01AM -0400, Matt Zimmerman wrote:
I have seen this twice now on two geographically, topologically and administratively different systems. The probe was slightly different, but close enough to attract my attention. May 1 14:08:15 box1 sshd[11762]: Failed none for illegal user test from 211.4.205.72 port 46827 ssh2 May 1 14:08:15 box1 sshd[11763]: Failed none for illegal user oracle from 211.4.205.72 port 46828 ssh2 May 1 23:04:37 box2 sshd[27428]: Failed password for illegal user test from 202.8.228.198 port 4338 Has anyone else seen probes of this sort recently?
Something like this was reported on the debian-security mailing list back in March, in: http://lists.debian.org/debian-security/2002/debian-security-200203/msg00216.html
From the timestamps, it's probably automated, but from a Google search,
I don't think that the tool responsible is in widespread use or
distributed publicly. I don't have apropriate logs, but I'm guessing
that it's trying empty passwords and/or 'test' and 'oracle' for users
'test' and 'oracle'.
Your post reminded me of a similar incident I saw at another site,
where someone tried (and failed) to guess passwords for users found
with finger:
Jan 26 14:30:42 hydrogen in.fingerd[6450]: connect from 207.249.144.205
Jan 26 14:30:42 hydrogen in.fingerd[6451]: connect from 207.249.144.205
Jan 26 14:32:47 hydrogen in.fingerd[6452]: connect from 148.221.70.70
Jan 26 14:33:03 hydrogen in.fingerd[6453]: connect from 148.221.70.70
Jan 26 14:34:13 hydrogen sshd[6454]: Connection from 148.221.70.70 port 1069
Jan 26 14:34:32 hydrogen PAM_pwdb[6454]: authentication failure; (uid=0) -> waoki for sshd service
Jan 26 14:34:33 hydrogen sshd[6454]: Failed password for waoki from 148.221.70.70 port 1069
Jan 26 14:34:44 hydrogen last message repeated 2 times
Jan 26 14:35:43 hydrogen sshd[6454]: fatal: Read from socket failed: Connection reset by peer
Jan 26 14:35:43 hydrogen PAM_pwdb[6454]: (sshd) session closed for user waoki
Jan 26 14:35:43 hydrogen PAM_pwdb[6454]: 2 more authentication failures; (uid=0) -> waoki for sshd service
Jan 26 14:38:05 hydrogen in.fingerd[6455]: connect from 148.221.70.70
Jan 26 14:38:22 hydrogen sshd[6456]: Connection from 148.221.70.70 port 1079
Jan 26 14:38:36 hydrogen PAM_pwdb[6456]: authentication failure; (uid=0) -> waoki for sshd service
Jan 26 14:38:37 hydrogen sshd[6456]: Failed password for waoki from 148.221.70.70 port 1079
Jan 26 14:38:40 hydrogen sshd[6456]: fatal: Read from socket failed: Connection reset by peer
Jan 26 14:38:40 hydrogen PAM_pwdb[6456]: (sshd) session closed for user waoki
which looks could have been done by hand, or could be an updated version
of the old finger + telnet password brute-force scripts.
--
William Aoki waoki () umnh utah edu /"\ ASCII Ribbon Campaign
3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news!
9A26 BB92 6329 2D3E 199D 8C7B X
/ \
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- ssh scans using username 'test' or 'oracle'? Matt Zimmerman (May 02)
- Re: ssh scans using username 'test' or 'oracle'? Will Aoki (May 02)
- Re: ssh scans using username 'test' or 'oracle'? Matt Zimmerman (May 02)
- Re: ssh scans using username 'test' or 'oracle'? Will Aoki (May 02)