Greetings everyone! We've encountered a problem on our network involving constant (once every 5 seconds) attempts to log in to one of our devices from the address of the VM running Orion using a username that has long been invalid.
Here is the log:
577543: Apr 6 17:19:43.078 NSK: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin62174] [Source: X.X.X.X] [localport: 22] [Reason: Login Authentication Failed] at 17:19:43 NSK Mon Apr 6 2026
4577544: Apr 6 17:19:50.150 NSK: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin62174] [Source: X.X.X.X] [localport: 22] [Reason: Login Authentication Failed] at 17:19:50 NSK Mon Apr 6 2026
4577545: Apr 6 17:19:50.166 NSK: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from X.X.X.X (tty = 0) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Failed
I've tried:
Changing the profile for the node - login attempts continued
Deleting the profile from the node (within Orion) - login attempts continued
Completely deleting the admin62174 profile from Orion NCM - login attempts continued
Disconnecting NCM from the node - login attempts continued
Changing the node address within Orion - login attempts continued.
Deleting the user admin62174 from the SQL table on the server running Orion - login attempts continued.
Additionally, I found the following:
LocalPort RemotePort State Process
--------- ---------- ----- -------
55662 22 5 SWJobEngineWorker2
55578 22 5 SWJobEngineWorker2
54933 22 11 Idle
54892 22 11 Idle
54656 22 11 Idle
54606 22 11 Idle
54353 22 11 Idle
54305 22 11 Idle
53741 22 11 Idle
53697 22 11 Idle
52997 22 11 Idle
52959 22 11 Idle
52295 22 11 Idle
52263 22 11 Idle
The first two processes appear and disappear exactly every 5 seconds and I don't know what's tasks start them, if I stop these processes - login attempts is stops too.
Please help, maybe I missed something? I think I'm going crazy...
