Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Strange SSHD login user name
24 views
Skip to first unread message
DoN. Nichols
Oct 16, 2012, 1:20:27 PM10/16/12
to
Has anyone else seen SSHD login attempts with a username of "____" ?
I've seen nine of them so far, starting back around 2012-05-13.
Is there any unix system which even would accept that as a
username? (I've not tried to create one on my systems, so I don't
know.)
I presume that if it is possible it is most likely installed by
a rootkit, not by a real administrator anywhere. (And if not possible,
what other OS's would allow such a username?
Thanks,
DoN.
--
Remove oil spill source from e-mail
Email: <BPdnic...@d-and-d.com> | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---
I've seen nine of them so far, starting back around 2012-05-13.
Is there any unix system which even would accept that as a
username? (I've not tried to create one on my systems, so I don't
know.)
I presume that if it is possible it is most likely installed by
a rootkit, not by a real administrator anywhere. (And if not possible,
what other OS's would allow such a username?
Thanks,
DoN.
--
Remove oil spill source from e-mail
Email: <BPdnic...@d-and-d.com> | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---
Doug McIntyre
Oct 16, 2012, 2:43:25 PM10/16/12
to
"DoN. Nichols" <BPdnic...@d-and-d.com> writes:
>Has anyone else seen SSHD login attempts with a username of "____" ?
No, but then again I filter sshd off from the general internet as well.
>Has anyone else seen SSHD login attempts with a username of "____" ?
It is probably being scanned because there were successful hits using it.
> Is there any unix system which even would accept that as a
>username? (I've not tried to create one on my systems, so I don't
>know.)
Solaris docs says that _ is an acceptable value in a login name, although
it should start with an alpha, it is only a warning not to.
DoN. Nichols
Oct 16, 2012, 9:23:18 PM10/16/12
to
On 2012-10-16, Doug McIntyre <mer...@geeks.org> wrote:
> "DoN. Nichols" <BPdnic...@d-and-d.com> writes:
>>Has anyone else seen SSHD login attempts with a username of "____" ?
>
> No, but then again I filter sshd off from the general internet as well.
> It is probably being scanned because there were successful hits using it.
I would have it blocked off too -- except that I need to allow a
> "DoN. Nichols" <BPdnic...@d-and-d.com> writes:
>>Has anyone else seen SSHD login attempts with a username of "____" ?
>
> No, but then again I filter sshd off from the general internet as well.
> It is probably being scanned because there were successful hits using it.
*certain* amount of access to a couple of other people to one or two
systems. Needless to say, I test the passwords from time to time. :-)
If it has worked, it probably was because a rootkit installed
it. I've read that another which I see tried from time to time --
"fluffy" was a rootkit installation.
I usually see it tried only along with "root" -- and
occasionally "toor" -- not with the gazillions of usernames tried. The
attacks which start out "aa", "ab", "ac" ... are sort of reassuring, in
that I would never use that short a username, so they can waste as much
time as they like trying two-letter usernames. Gets to the point
where the firewall slams the door more quickly. :-)
>> Is there any unix system which even would accept that as a
>>username? (I've not tried to create one on my systems, so I don't
>>know.)
>
> Probably all of them.
outside, but certainly not anything which is visible -- unless I were to
try setting up honeypots. :-)
> Solaris docs says that _ is an acceptable value in a login name, although
> it should start with an alpha, it is only a warning not to.
0 new messages