[nsp-sec] SSH scanners looking for "temporary"?

Bill Owens owens at nysernet.org
Wed Sep 10 08:50:14 EDT 2008 

I know that nobody really cares about SSH scanners, but there was a strange pattern this morning that I've never seen before:

Sep 10 08:25:02 cookiemonster sshd[57483]: Invalid user tmp from 200.68.45.66
Sep 10 08:25:55 cookiemonster sshd[57487]: Invalid user tmp from 124.178.235.109
Sep 10 08:26:39 cookiemonster sshd[57491]: Invalid user tmp from 196.212.123.58
Sep 10 08:27:33 cookiemonster sshd[57496]: Invalid user tmp from 62.60.136.250
Sep 10 08:28:06 cookiemonster sshd[57503]: Invalid user tmp from 190.34.172.5
Sep 10 08:29:15 cookiemonster sshd[66171]: Invalid user tmp from 190.5.195.98
Sep 10 08:29:48 cookiemonster sshd[67213]: Invalid user tmp from 62.38.151.143
Sep 10 08:30:06 cookiemonster sshd[67216]: Invalid user tmp from 91.116.191.42
Sep 10 08:30:43 cookiemonster sshd[67220]: Invalid user tmp from 213.83.30.141
Sep 10 08:32:40 cookiemonster sshd[67232]: Invalid user temp from 211.94.209.17
Sep 10 08:33:23 cookiemonster sshd[67238]: Invalid user temp from 213.136.105.130
Sep 10 08:33:58 cookiemonster sshd[67245]: Invalid user temp from 213.23.55.162
Sep 10 08:34:47 cookiemonster sshd[72628]: Invalid user temp from 83.236.179.50
Sep 10 08:37:10 cookiemonster sshd[72635]: Invalid user temp from 62.72.101.154
Sep 10 08:38:08 cookiemonster sshd[72640]: Invalid user temporary from 85.39.252.226
Sep 10 08:39:08 cookiemonster sshd[72648]: Invalid user temporary from 121.241.211.63
Sep 10 08:39:28 cookiemonster sshd[72651]: Invalid user temporary from 83.17.126.94
Sep 10 08:39:57 cookiemonster sshd[77963]: Invalid user temporary from 124.178.235.109
Sep 10 08:41:24 cookiemonster sshd[77991]: Invalid user temporary from 212.14.40.1
Sep 10 08:41:51 cookiemonster sshd[77994]: Invalid user temporary from 64.72.87.100
Sep 10 08:43:09 cookiemonster sshd[78443]: Invalid user temporary from 80.153.123.179
Sep 10 08:44:34 cookiemonster sshd[81270]: Invalid user christelle from 212.91.188.165
Sep 10 08:45:25 cookiemonster sshd[81276]: Invalid user christelle from 213.98.2.49
Sep 10 08:45:48 cookiemonster sshd[81282]: Invalid user christelle from 12.206.87.124
Sep 10 08:48:34 cookiemonster sshd[86248]: Invalid user christelle from 58.196.4.2

That's EDT (GMT-4). I've not run across an SSH user called 'temporary' or the other variants, is there some installer somewhere that sets that up and leaves it? 
Bill.
- - -
Bill Owens
Director, Advanced Technology and Networks
NYSERNet, Inc.

More information about the nsp-security mailing list