sequences in the auth.log

[Jan Muenther]

Heya, 

this is probably the same piece of malware that has been discussed on f-d 
recently. The username/password combination guest and test are hardcoded into
a little statically linked binary which is commonly used together with a 
SYN scanner. 

Chances are good these attempts are coming from a compromised box - you may
want to look into that if it is in your realms. 

If you need more info, I disassembled them both and made a quick analysis, check
the f-d archives. 

Cheers, J.