So, I got home from work, and booted up my computer. While it booted, I turned back to the mail, to see what was in the coupon section, because I was planning on going grocery shopping tonight. When I finished with the mail, and was about to go take care of some other tasks, I noticed the icon on the menu bar for Little Snitch was blinking like mad. As I had only started up the computer, and it was just sitting at the finder, this caught me a little off guard, so I clicked the icon to investigate. The response from little snitch was that there were two processes of sshd with the ip address 218.107.139.2 running, and constantly transferring data. I am an IT guy, so, I have an array of ip addresses memorized, however, that was one I didn’t recognize, so I fired off a quick whois, to find out who was trying to ssh into my computer.
Here is the whois on the offender:
$ whois 218.107.139.2
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AUReferralServer: whois://whois.apnic.net
NetRange: 218.0.0.0 – 218.255.255.255
CIDR: 218.0.0.0/8
NetName: APNIC4
NetHandle: NET-218-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
RegDate: 2000-12-07
Updated: 2009-10-08OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net# ARIN WHOIS database, last updated 2010-03-01 20:00
# Enter ? for additional hints on searching ARIN’s WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
% [whois.apnic.net node-3]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.htmlinetnum: 218.107.128.0 – 218.107.191.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: SY21-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-CNCGROUP
mnt-lower: MAINT-CNCGROUP-BJ
changed: hm-changed@apnic.net 20050407
source: APNICroute: 218.104.0.0/14
descr: China Unicom CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060329
source: APNICperson: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: abuse@chinaunicom.cn
address: No.21,Jin-Rong Street
address: Beijing,100140
address: P.R.China
phone: +86-10-66259940
fax-no: +86-10-66259764
country: CN
changed: abuse@chinaunicom.cn 20090408
mnt-by: MAINT-CNCGROUP
source: APNICperson: sun ying
address: fu xing men nei da jie 97, Xicheng District
address: Beijing 100800
country: CN
phone: +86-10-66030657
fax-no: +86-10-66078815
e-mail: hostmast@publicf.bta.net.cn
nic-hdl: SY21-AP
mnt-by: MAINT-CNCGROUP-BJ
changed: suny@publicf.bta.net.cn 19980824
changed: hm-changed@apnic.net 20060717
changed: hostmast@publicf.bta.net.cn 20090630
source: APNIC
The second thing I did, as I didn’t recognize a computer in China that I would have been connecting to was to kill the SSH service, (Remote Login in System Preferences -> Sharing). That instantly stopped the transfer of data, but, it didn’t really tell me what had been going on, so I started looking at the logs.
A quick scan through Console.app showed to me that the culprit hadn’t gained access, but was just trying dictionary attacks to find a username that was enabled. As I only installed Snow Leopard last night, I am not yet sure if I can configure sshd in any other way, or hopefully to run only off of keys, as that is generally presented as a more secure way of running it.
For the record, here is the output from /var/log/secure.log:
Mar 2 19:01:57 mr-texs-mac-pro sshd[327]: Invalid user admin from 218.107.139.2
Mar 2 19:01:59 mr-texs-mac-pro sshd[329]: Invalid user admin from 218.107.139.2
Mar 2 19:02:01 mr-texs-mac-pro sshd[331]: Invalid user admin from 218.107.139.2
Mar 2 19:02:03 mr-texs-mac-pro sshd[333]: Invalid user administrator from 218.107.139.2
Mar 2 19:02:05 mr-texs-mac-pro sshd[335]: Invalid user administrator from 218.107.139.2
Mar 2 19:02:07 mr-texs-mac-pro sshd[337]: Invalid user administrator from 218.107.139.2
Mar 2 19:02:09 mr-texs-mac-pro sshd[339]: Invalid user tads from 218.107.139.2
Mar 2 19:02:11 mr-texs-mac-pro sshd[341]: Invalid user tads from 218.107.139.2
Mar 2 19:02:13 mr-texs-mac-pro sshd[343]: Invalid user tads from 218.107.139.2
Mar 2 19:02:15 mr-texs-mac-pro sshd[345]: Invalid user tip from 218.107.139.2
Mar 2 19:02:17 mr-texs-mac-pro sshd[347]: Invalid user tip from 218.107.139.2
Mar 2 19:02:19 mr-texs-mac-pro sshd[349]: Invalid user tip from 218.107.139.2
Mar 2 19:02:21 mr-texs-mac-pro sshd[351]: Invalid user myra from 218.107.139.2
Mar 2 19:02:22 mr-texs-mac-pro sshd[353]: Invalid user myra from 218.107.139.2
Mar 2 19:02:24 mr-texs-mac-pro sshd[355]: Invalid user myra from 218.107.139.2
Mar 2 19:02:26 mr-texs-mac-pro sshd[357]: Invalid user jack from 218.107.139.2
Mar 2 19:02:28 mr-texs-mac-pro sshd[359]: Invalid user jack from 218.107.139.2
Mar 2 19:02:30 mr-texs-mac-pro sshd[361]: Invalid user jack from 218.107.139.2
Mar 2 19:02:32 mr-texs-mac-pro sshd[363]: Invalid user sya from 218.107.139.2
Mar 2 19:02:33 mr-texs-mac-pro sshd[365]: Invalid user sya from 218.107.139.2
Mar 2 19:02:36 mr-texs-mac-pro sshd[367]: Invalid user sya from 218.107.139.2
Mar 2 19:02:38 mr-texs-mac-pro sshd[369]: Invalid user wang from 218.107.139.2
Mar 2 19:02:40 mr-texs-mac-pro sshd[371]: Invalid user wang from 218.107.139.2
Mar 2 19:02:42 mr-texs-mac-pro sshd[373]: Invalid user wang from 218.107.139.2
Mar 2 19:02:43 mr-texs-mac-pro sshd[375]: Invalid user marvin from 218.107.139.2
Mar 2 19:02:45 mr-texs-mac-pro sshd[377]: Invalid user marvin from 218.107.139.2
Mar 2 19:02:47 mr-texs-mac-pro sshd[379]: Invalid user marvin from 218.107.139.2
Mar 2 19:02:49 mr-texs-mac-pro sshd[381]: Invalid user andres from 218.107.139.2
Mar 2 19:02:51 mr-texs-mac-pro sshd[383]: Invalid user andres from 218.107.139.2
Mar 2 19:02:53 mr-texs-mac-pro sshd[385]: Invalid user andres from 218.107.139.2
Mar 2 19:02:55 mr-texs-mac-pro sshd[387]: Invalid user barbara from 218.107.139.2
Mar 2 19:02:57 mr-texs-mac-pro sshd[389]: Invalid user barbara from 218.107.139.2
Mar 2 19:02:58 mr-texs-mac-pro sshd[391]: Invalid user barbara from 218.107.139.2
Mar 2 19:03:00 mr-texs-mac-pro sshd[393]: Invalid user adine from 218.107.139.2
Mar 2 19:03:02 mr-texs-mac-pro sshd[395]: Invalid user adine from 218.107.139.2
Mar 2 19:03:04 mr-texs-mac-pro sshd[397]: Invalid user adine from 218.107.139.2
Mar 2 19:03:06 mr-texs-mac-pro sshd[399]: Invalid user test from 218.107.139.2
Mar 2 19:03:08 mr-texs-mac-pro sshd[401]: Invalid user test from 218.107.139.2
Mar 2 19:03:10 mr-texs-mac-pro sshd[403]: Invalid user test from 218.107.139.2
Mar 2 19:03:12 mr-texs-mac-pro sshd[405]: Invalid user guest from 218.107.139.2
Mar 2 19:03:14 mr-texs-mac-pro sshd[407]: Invalid user guest from 218.107.139.2
Mar 2 19:03:16 mr-texs-mac-pro sshd[409]: Invalid user guest from 218.107.139.2
Mar 2 19:03:18 mr-texs-mac-pro sshd[411]: Invalid user db from 218.107.139.2
Mar 2 19:03:19 mr-texs-mac-pro sshd[413]: Invalid user db from 218.107.139.2
Mar 2 19:03:21 mr-texs-mac-pro sshd[415]: Invalid user db from 218.107.139.2
Mar 2 19:03:23 mr-texs-mac-pro sshd[417]: Invalid user ahmed from 218.107.139.2
Mar 2 19:03:25 mr-texs-mac-pro sshd[419]: Invalid user ahmed from 218.107.139.2
Mar 2 19:03:26 mr-texs-mac-pro sshd[421]: Invalid user ahmed from 218.107.139.2
Mar 2 19:03:28 mr-texs-mac-pro sshd[423]: Invalid user alan from 218.107.139.2
Mar 2 19:03:30 mr-texs-mac-pro sshd[425]: Invalid user albert from 218.107.139.2
Mar 2 19:03:32 mr-texs-mac-pro sshd[427]: Invalid user alberto from 218.107.139.2
Mar 2 19:03:34 mr-texs-mac-pro sshd[429]: Invalid user alex from 218.107.139.2
Mar 2 19:03:36 mr-texs-mac-pro sshd[431]: Invalid user alex from 218.107.139.2
Mar 2 19:03:38 mr-texs-mac-pro sshd[433]: Invalid user alex from 218.107.139.2
Mar 2 19:03:40 mr-texs-mac-pro sshd[435]: Invalid user alfred from 218.107.139.2
Mar 2 19:03:42 mr-texs-mac-pro sshd[437]: Invalid user alfred from 218.107.139.2
Mar 2 19:03:43 mr-texs-mac-pro sshd[439]: Invalid user alfred from 218.107.139.2
Mar 2 19:03:45 mr-texs-mac-pro sshd[441]: Invalid user ali from 218.107.139.2
Mar 2 19:03:47 mr-texs-mac-pro sshd[443]: Invalid user ali from 218.107.139.2
Mar 2 19:03:49 mr-texs-mac-pro sshd[445]: Invalid user ali from 218.107.139.2
Mar 2 19:03:51 mr-texs-mac-pro sshd[447]: Invalid user alice from 218.107.139.2
Mar 2 19:03:53 mr-texs-mac-pro sshd[449]: Invalid user alice from 218.107.139.2
Mar 2 19:03:55 mr-texs-mac-pro sshd[451]: Invalid user alice from 218.107.139.2
Mar 2 19:03:57 mr-texs-mac-pro sshd[453]: Invalid user allan from 218.107.139.2
Mar 2 19:03:59 mr-texs-mac-pro sshd[455]: Invalid user allan from 218.107.139.2
Mar 2 19:04:01 mr-texs-mac-pro sshd[457]: Invalid user allan from 218.107.139.2
Mar 2 19:04:03 mr-texs-mac-pro sshd[459]: Invalid user andi from 218.107.139.2
Mar 2 19:04:05 mr-texs-mac-pro sshd[461]: Invalid user andi from 218.107.139.2
Mar 2 19:04:07 mr-texs-mac-pro sshd[463]: Invalid user andi from 218.107.139.2
Mar 2 19:04:08 mr-texs-mac-pro sshd[465]: Invalid user andrew from 218.107.139.2
Mar 2 19:04:10 mr-texs-mac-pro sshd[467]: Invalid user andrew from 218.107.139.2
Mar 2 19:04:12 mr-texs-mac-pro sshd[469]: Invalid user andrew from 218.107.139.2
Mar 2 19:04:14 mr-texs-mac-pro sshd[471]: Invalid user amanda from 218.107.139.2
Mar 2 19:04:16 mr-texs-mac-pro sshd[473]: Invalid user amanda from 218.107.139.2
Mar 2 19:04:18 mr-texs-mac-pro sshd[475]: Invalid user amanda from 218.107.139.2
Mar 2 19:04:20 mr-texs-mac-pro sshd[477]: Invalid user angie from 218.107.139.2
Mar 2 19:04:21 mr-texs-mac-pro sshd[479]: Invalid user angie from 218.107.139.2
Mar 2 19:04:23 mr-texs-mac-pro sshd[481]: Invalid user angie from 218.107.139.2
Mar 2 19:04:25 mr-texs-mac-pro sshd[483]: Invalid user angela from 218.107.139.2
Mar 2 19:04:27 mr-texs-mac-pro sshd[485]: Invalid user angela from 218.107.139.2
Mar 2 19:04:29 mr-texs-mac-pro sshd[487]: Invalid user angela from 218.107.139.2
Mar 2 19:04:31 mr-texs-mac-pro sshd[489]: Invalid user anita from 218.107.139.2
Mar 2 19:04:32 mr-texs-mac-pro sshd[491]: Invalid user anita from 218.107.139.2
Mar 2 19:04:34 mr-texs-mac-pro sshd[493]: Invalid user anita from 218.107.139.2
Mar 2 19:04:36 mr-texs-mac-pro sshd[495]: Invalid user anna from 218.107.139.2
Mar 2 19:04:38 mr-texs-mac-pro sshd[497]: Invalid user anna from 218.107.139.2
Mar 2 19:04:40 mr-texs-mac-pro sshd[499]: Invalid user anna from 218.107.139.2
Mar 2 19:04:42 mr-texs-mac-pro sshd[501]: Invalid user arthur from 218.107.139.2
Mar 2 19:04:43 mr-texs-mac-pro sshd[503]: Invalid user arthur from 218.107.139.2
Mar 2 19:04:45 mr-texs-mac-pro sshd[505]: Invalid user arthur from 218.107.139.2
Mar 2 19:04:47 mr-texs-mac-pro sshd[507]: Invalid user aron from 218.107.139.2
Mar 2 19:04:49 mr-texs-mac-pro sshd[509]: Invalid user aron from 218.107.139.2
Mar 2 19:04:51 mr-texs-mac-pro sshd[511]: Invalid user aron from 218.107.139.2
Mar 2 19:04:53 mr-texs-mac-pro sshd[513]: Invalid user austin from 218.107.139.2
Mar 2 19:04:54 mr-texs-mac-pro sshd[515]: Invalid user austin from 218.107.139.2
Mar 2 19:04:56 mr-texs-mac-pro sshd[517]: Invalid user austin from 218.107.139.2
Mar 2 19:04:58 mr-texs-mac-pro sshd[522]: Invalid user magic from 218.107.139.2
Mar 2 19:05:00 mr-texs-mac-pro sshd[525]: Invalid user magic from 218.107.139.2
Mar 2 19:05:01 mr-texs-mac-pro sshd[527]: Invalid user magic from 218.107.139.2
Mar 2 19:05:03 mr-texs-mac-pro sshd[529]: Invalid user bart from 218.107.139.2
Mar 2 19:05:05 mr-texs-mac-pro sshd[531]: Invalid user bart from 218.107.139.2
Mar 2 19:05:07 mr-texs-mac-pro sshd[533]: Invalid user bart from 218.107.139.2
Mar 2 19:05:09 mr-texs-mac-pro sshd[535]: Invalid user ben from 218.107.139.2
Mar 2 19:05:11 mr-texs-mac-pro sshd[537]: Invalid user ben from 218.107.139.2
Mar 2 19:05:13 mr-texs-mac-pro sshd[539]: Invalid user ben from 218.107.139.2
Mar 2 19:05:15 mr-texs-mac-pro sshd[542]: Invalid user beny from 218.107.139.2
Mar 2 19:05:17 mr-texs-mac-pro sshd[544]: Invalid user beny from 218.107.139.2
Mar 2 19:05:18 mr-texs-mac-pro sshd[547]: Invalid user beny from 218.107.139.2
Mar 2 19:05:20 mr-texs-mac-pro sshd[549]: Invalid user bert from 218.107.139.2
Mar 2 19:05:22 mr-texs-mac-pro sshd[551]: Invalid user bert from 218.107.139.2
Mar 2 19:05:24 mr-texs-mac-pro sshd[553]: Invalid user bert from 218.107.139.2
Mar 2 19:05:26 mr-texs-mac-pro sshd[555]: Invalid user bill from 218.107.139.2
Mar 2 19:05:28 mr-texs-mac-pro sshd[557]: Invalid user bill from 218.107.139.2
Mar 2 19:05:29 mr-texs-mac-pro sshd[559]: Invalid user bill from 218.107.139.2
Mar 2 19:05:31 mr-texs-mac-pro sshd[561]: Invalid user bind from 218.107.139.2
Mar 2 19:05:33 mr-texs-mac-pro sshd[563]: Invalid user bind from 218.107.139.2
Mar 2 19:05:35 mr-texs-mac-pro sshd[565]: Invalid user bind from 218.107.139.2
Mar 2 19:05:37 mr-texs-mac-pro sshd[567]: Invalid user bob from 218.107.139.2
Mar 2 19:05:39 mr-texs-mac-pro sshd[569]: Invalid user bob from 218.107.139.2
Mar 2 19:05:40 mr-texs-mac-pro sshd[571]: Invalid user bob from 218.107.139.2
Mar 2 19:05:42 mr-texs-mac-pro sshd[573]: Invalid user bobby from 218.107.139.2
Mar 2 19:05:44 mr-texs-mac-pro sshd[581]: Invalid user bobby from 218.107.139.2
Mar 2 19:05:46 mr-texs-mac-pro sshd[583]: Invalid user bobby from 218.107.139.2
Mar 2 19:05:48 mr-texs-mac-pro sshd[585]: Invalid user bret from 218.107.139.2
Mar 2 19:05:50 mr-texs-mac-pro sshd[587]: Invalid user bret from 218.107.139.2
Mar 2 19:05:52 mr-texs-mac-pro sshd[589]: Invalid user bret from 218.107.139.2
Mar 2 19:05:53 mr-texs-mac-pro sshd[591]: Invalid user brian from 218.107.139.2
Mar 2 19:05:55 mr-texs-mac-pro sshd[594]: Invalid user brian from 218.107.139.2
Mar 2 19:05:57 mr-texs-mac-pro sshd[596]: Invalid user brian from 218.107.139.2
Mar 2 19:05:59 mr-texs-mac-pro sshd[598]: Invalid user bruce from 218.107.139.2
Mar 2 19:06:01 mr-texs-mac-pro sshd[600]: Invalid user bruce from 218.107.139.2
Mar 2 19:06:03 mr-texs-mac-pro sshd[602]: Invalid user bruce from 218.107.139.2
Mar 2 19:06:04 mr-texs-mac-pro sshd[604]: Invalid user carl from 218.107.139.2
Mar 2 19:06:06 mr-texs-mac-pro sshd[606]: Invalid user carl from 218.107.139.2
Mar 2 19:06:08 mr-texs-mac-pro sshd[608]: Invalid user carl from 218.107.139.2
Mar 2 19:06:10 mr-texs-mac-pro sshd[610]: Invalid user cesar from 218.107.139.2
Mar 2 19:06:12 mr-texs-mac-pro sshd[613]: Invalid user cesar from 218.107.139.2
Mar 2 19:06:13 mr-texs-mac-pro sshd[615]: Invalid user cesar from 218.107.139.2
Mar 2 19:06:15 mr-texs-mac-pro sshd[617]: Invalid user clark from 218.107.139.2
Mar 2 19:06:17 mr-texs-mac-pro sshd[620]: Invalid user clark from 218.107.139.2
Mar 2 19:06:19 mr-texs-mac-pro sshd[622]: Invalid user clark from 218.107.139.2
Mar 2 19:06:21 mr-texs-mac-pro sshd[624]: Invalid user clinton from 218.107.139.2
Mar 2 19:06:22 mr-texs-mac-pro sshd[626]: Invalid user clinton from 218.107.139.2
Mar 2 19:06:24 mr-texs-mac-pro sshd[628]: Invalid user clinton from 218.107.139.2
Mar 2 19:06:26 mr-texs-mac-pro sshd[630]: Invalid user corinna from 218.107.139.2
Mar 2 19:06:29 mr-texs-mac-pro sshd[632]: Invalid user corinna from 218.107.139.2
Mar 2 19:06:31 mr-texs-mac-pro sshd[634]: Invalid user corinna from 218.107.139.2
Mar 2 19:06:32 mr-texs-mac-pro sshd[636]: Invalid user craig from 218.107.139.2
Mar 2 19:06:34 mr-texs-mac-pro sshd[642]: Invalid user craig from 218.107.139.2
Mar 2 19:06:36 mr-texs-mac-pro sshd[644]: Invalid user craig from 218.107.139.2
Mar 2 19:06:38 mr-texs-mac-pro sshd[647]: Invalid user daniel from 218.107.139.2
Mar 2 19:06:40 mr-texs-mac-pro sshd[661]: Invalid user daniel from 218.107.139.2
Mar 2 19:06:42 mr-texs-mac-pro sshd[664]: Invalid user daniel from 218.107.139.2
I haven’t looked into who these people are, or if they are just a bot, or what, but, it is interesting to see this happen. If you run a Mac, I recommend Little Snitch, its $30, and well worth it. If you are less geeky than me, you may find it a little irritating initially, but, once you have it setup, it will be unobtrusive, but, will really help you to know what’s going on with your computer. Thinking about it, I wonder how often this happened on my Linux box, which preceded the mac, and I just didn’t realize it. I am curious if the linux box had been blocking SSH attempts after a set number when this sort of thing had happened, or if it hadn’t happened. Which makes me also wonder why the Mac didn’t at least ignore ssh attempts from that ip after 5 separate failed attempts. With the only real configuration being on/off, and User Access List for SSH, I would like to think that Apple would do some more intelligent intrusion prevention under the hood, but, maybe that’s just wishful thinking. Maybe the simpler is easier school of thought transcends the interface and persists in the underlying code as well.
Either way, SSH is off for now, and will remain that way until I can find a better way of managing it. One of the things that I really liked with my old Linux box was that I had ssh on, but, vnc was disabled, even though I always ran it through an ssh tunnel, I would run a script on connecting that enabled the vnc daemon, and then my connection would work, and before killing the tunnel, I would run the script again, which would kill the daemon. I wonder if I could set some sort of logic in motion where something like that could be done with SSH. Like I text message my toaster, and have it send an X11 packet through the electrical system to alert my computer to enable the ssh service. Obviously this is just theory, my toaster isn’t on a 3G network right now, because I really have no need for an extra bill for it, but, maybe if that is a more secure way of doing things…
Back to my Chinese friend, I found this online (http://www.tatsukichi.gr.jp/):
The Criminal 218.107.139.2 in the Criminal Beijing Province China Unicom network (min Co. Ltd., Beijing, China联合Course Center Hack communication) in the Criminal China Unicom (联通China) (CN) (2010.2.10)
Malicious and huge ssh brute force attack (6 login attempts) focusing on the root password only.
This is the 8th attack by the Criminal 218.107.139.2 since Feb 8 2010, Feb 7 2010 (twice), Feb 3 2010, Dec 25 2009, 11 Dec 2009 and Dec 7 2009.
Add 218.104.0.0/14 and 218.108.0.0/15 to the permanent block list.
My Japanese is sort of rusty, so the translation of that page doesn’t make much sense to me, but, it appears that is a SORBS (Spam and Open Relay Blocking System) list. And it looks like in the last 3 months, there have been multiple attacks originating from that ip address, and apparently the Chinese telecommunications company has no desire to do anything about it, so they recommend permanently blocking all traffic coming from that ISP. I think that the scorched earth policy is pretty rough, but, in all honesty, I don’t really see a reason not to.
While it has fallen off the list, it was at http://sysdeny.net/bf.txt on Feb 15, 2010 08:31:38 GMT according to Google’s Cache.
http://www.sidata.com.tr/cmn/pubservices/offensive_details.html?id=574625 is another page that details how they are brute force attacking ssh servers.
Thats enough dealing with it for tonight, but, tomorrow is another day.