Security Incidents mailing list archives

Re: ssh scans using username 'test' or 'oracle'?

From: Matt Zimmerman <mdz () csh rit edu>
Date: Thu, 2 May 2002 16:39:54 -0400

On Thu, May 02, 2002 at 11:55:09AM -0600, Will Aoki wrote:

On Thu, May 02, 2002 at 11:14:01AM -0400, Matt Zimmerman wrote:

I have seen this twice now on two geographically, topologically and
administratively different systems.  The probe was slightly different, but
close enough to attract my attention.

May  1 14:08:15 box1 sshd[11762]: Failed none for illegal user test from 211.4.205.72 port 46827 ssh2
May  1 14:08:15 box1 sshd[11763]: Failed none for illegal user oracle from 211.4.205.72 port 46828 ssh2

May  1 23:04:37 box2 sshd[27428]: Failed password for illegal user test from 202.8.228.198 port 4338

Has anyone else seen probes of this sort recently?


Something like this was reported on the debian-security mailing list
back in March, in:

http://lists.debian.org/debian-security/2002/debian-security-200203/msg00216.html

From the timestamps, it's probably automated, but from a Google search,

I don't think that the tool responsible is in widespread use or
distributed publicly. I don't have apropriate logs, but I'm guessing that
it's trying empty passwords and/or 'test' and 'oracle' for users 'test'
and 'oracle'.


Thanks for the pointer.  I have since learned that others have seen similar
activity matching both patterns ('test' and 'oracle' together, and 'test' by
itself).  There have been systems compromised, apparently by this tool, and
there may be related tool which is only searching for already-compromised
systems.

Your post reminded me of a similar incident I saw at another site,
where someone tried (and failed) to guess passwords for users found
with finger:


In these cases, the usernames tried were definitely hard-coded; in my case,
there were no other services besides ssh open, and there had never been any
such usernames anywhere at the sites involved.

-- 
 - mdz

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

ssh scans using username 'test' or 'oracle'? Matt Zimmerman (May 02)
- Re: ssh scans using username 'test' or 'oracle'? Will Aoki (May 02)
  - Re: ssh scans using username 'test' or 'oracle'? Matt Zimmerman (May 02)