[CentOS] Audit logs containing 28756E6B6E6F776E207573657229

Wed Jun 12 09:40:26 UTC 2013
Nicolas Thierry-Mieg <Nicolas.Thierry-Mieg at imag.fr>

Gregory Machin wrote:
> Hi.
> I'm seeing a lot of entries in /var/log/audit/audit.log
> acct=28756E6B6E6F776E207573657229 , which apparently means unknown user .
> Sample from the logs :
> type=USER_LOGIN msg=audit(1370998250.746:1622709): user pid=16762 uid=0
> auid=4294967295 ses=4294967295 msg='op=login
> acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=?
> addr= terminal=ssh res=failed'
> How do I track down  what is causing this ? Thus far I have has not luck
> using the pid with ps or lsof  as it seems the process has gone by the
> time I respond to the log entries.

it looks like a failed login attempt through ssh, but I would check 
/var/log/secure which may be more explicit