[nsp-sec] Strange usernames in SSH scan ?

Carles Fragoso cfragoso at cesicat.cat
Tue Sep 20 07:24:43 EDT 2011 

BTW, after Hola123 you can see Espaa which probably means "España" (Spain).

-- Carlos

On Sep 19, 2011, at 8:10 PM, Smith, Donald wrote:

> ----------- nsp-security Confidential --------
> 
> If you google for the 2nd username it was reported by others one of those had Hola123 which I think is what that username is "sort of" supposed to be.
> 
> 
> 
> Ignorance is Bliss. "Bliss (Basic Language for Implementation of System Software) was a
> systems programming language originally for the PDP-10 and DECsystem-20 written at CMU." Kevin Oberman RTD
> Donald.Smith at CenturyLink.com
> 
> 
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>> bounces at puck.nether.net] On Behalf Of Jose Nazario
>> Sent: Monday, September 19, 2011 11:58 AM
>> To: Kurt Jaeger
>> Cc: nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] Strange usernames in SSH scan ?
>> 
>> ----------- nsp-security Confidential --------
>> 
>> someone confuse their password file and username file?
>> 
>> On Mon, 19 Sep 2011, Kurt Jaeger wrote:
>> 
>>> ----------- nsp-security Confidential --------
>>> 
>>> Hi!
>>> 
>>> Recently, we found strange usernames in SSH scans.
>>> 
>>> sshd[23410]: Invalid user @n!md at mP#$@&#3141$&#@!#mTadm!n$@ from
>> 60.191.41.97
>>> sshd[23420]: Invalid user HOla%201%2B2%3D3%20Espa%00a%20%00 from
>> 60.191.41.97
>>> 
>>> Is there a reason for those usernames (syslog exploits ?) ?
>>> 
>>> 
>> 
>> --
>> -------------------------------------------------------------
>> jose nazario, ph.d.           <jose at arbor.net>
>> manager of security research  arbor networks
>> v: (734) 821 1427             http://asert.arbor.net/
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
>> security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
> 
> This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful.  If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list