On Jul 18, 8:21 am, VAXman- @SendSpamHere.ORG wrote:
> More ssh attacks. They are mostly a nuisance. However, logs full of
> OPCOM messages like this
>
> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%%
> Message from user AUDIT$SERVER on ******
> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
> Auditable event: Network login
> Event time: 18-JUL-2007 08:05:42.85
> PID: 20200D5E
> Process name: TCPIP$SS_BG3304
> Username: TCPIP$SSH
> Process owner: [TCPIP$AUX,TCPIP$SSH]
> Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
> Remote node id: 11223344 (aa.bbb)
> Remote node fullname: aa.bb.cc.dd
> Remote username: TCPIP$SSH
> Posix UID: -2
> Posix GID: -2 (%XFFFFFFFE)
>
> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%%
> Message from user AUDIT$SERVER on ******
> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234
> Auditable event: Network login failure
> Event time: 18-JUL-2007 08:05:48.42
> PID: 20200D5E
> Process name: TCPIP$SS_BG3304
> Username: TCPIP$SSH
> Remote node fullname: SSH_PASSWORD:some.hackers.net
> Remote username: SSH_11223344
> Status: %LOGIN-F-NOTVALID, user authorization failure
>
> would be much more useful if ONE of the above two logged messages would
> include the username the hacker is trying to use for access. I do not
> see it (the username under attack) in any of the SSH log files either.
>
> This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get
> the username under attack, I'd appreciate it. HP, if you are listening,
> this would be a nice feature if it doesn't already exist (I didn't see a
> way get it when I perused the ssh doc).
>
> --
> VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM
>
> "Well my son, life is like a beanstalk, isn't it?"
>
> http://tmesis.com/sig.jpg


TCPware shows username, but if you have intrusion on
for say 3 strikes and your out, then

$ SHOW INTRUSION

will show you the username also ...