On 2004-10-09, Allen Kistler <ackistler@oohay.moc> wrote:

> From my latest logs:
>
> Illegal user oracle from ...
> Illegal user guest from ...
> Illegal user oracle from ...
> Illegal user informix from ...
> Illegal user oracle9 from ...
> Illegal user oracle from ...
> Illegal user oracle from ...
> Illegal user gateway from ...
> Illegal user webadmin from ...
> Illegal user webadmin from ...
> Illegal user postgres from ...
> Illegal user webadmin from ...
> Illegal user oracle from ...
> Illegal user postgres from ...
> Illegal user webadmin from ...
>
> I guess test, user, and admin got too boring.

I'm also seeing more personal names:

Failed password for illegal user adam
Failed password for illegal user alan
Failed password for illegal user frank
Failed password for illegal user george
Failed password for illegal user henry
Failed password for illegal user matt
Failed password for illegal user patrick
Failed password for illegal user pamela
Failed password for illegal user jane

as well as some odd ones:

Failed password for illegal user cip52
Failed password for illegal user cip51

Interestingly, nmap seems to think most of these are from linux machines.

Usually, I just ignore them, but when they insist on hammering my machine
dozens of times, I track them down and report them to their upstream
provider. This may or may not be effective, but I try anyway; I've gotten
several responses that the admins of the offending machines have been
informed and the machines taken off-line.

--

-John (john@os2.dhs.org)