Subject: [Intrusions] Linux SSH scanning - test/guest
Importance: Low
FYI
We got zapped by some hackers from, I think, Romania that have a priv escalation exploit for Linux 2.4.20
http://sirzion.illusivecreations.com/loginxy
There is also a multithreaded SSH bruteforcer called "haita"
This attempts to login to machines using the accounts "test" and "guest", with passwords "test" & "guest" respectively. It runs from a file of addresses found by a synscan program. It identifies itself as
SSH-2.0-libssh-0.1
So, SSH login failures for test & guest are an indication of this thing running at the remote end.
The two names & passwords appear to be hardcoded into the program.
Since Linux as I recall backs off after failed attempts there wouldn't be much to gain by trying many more names, but variants may appear with other defaults.