The ones I have been seeing started about July 23 with log entries like this from syslog:
Jul 23 16:02:19 knight sshd[23572]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:19 knight sshd[23576]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:19 knight sshd[23588]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.152.182.90 user=root\nJul 23 16:02:20 knight sshd[23582]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:20 knight sshd[23584]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:20 knight sshd[23589]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.152.182.90 user=root\nJul 23 16:02:20 knight sshd[23590]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.152.182.90 user=root\nJul 23 16:02:20 knight sshd[23591]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.152.182.90 user=root\nJul 23 16:02:21 knight sshd[23572]: error: PAM: Authentication failure for root from 212.152.182.90\nJul 23 16:02:21 knight sshd[23576]: error: PAM: Authentication failure for root from 212.152.182.90\nJul 23 16:02:22 knight sshd[23582]: error: PAM: Authentication failure for root from 212.152.182.90\nJul 23 16:02:22 knight sshd[23584]: error: PAM: Authentication failure for root from 212.152.182.90\nJul 23 16:02:23 knight sshd[23573]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:24 knight sshd[23571]: Did not receive identification string from 212.152.182.90\nJul 23 16:02:24 knight sshd[23572]: fatal: PAM: authentication thread exited unexpectedly\nJul 23 16:02:24 knight sshd[23576]: fatal: PAM: authentication thread exited unexpectedly\nJul 23 16:02:24 knight sshd[23578]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:24 knight sshd[23582]: fatal: PAM: authentication thread exited unexpectedly\nJul 23 16:02:24 knight sshd[23584]: fatal: PAM: authentication thread exited unexpectedly\nJul 23 16:02:29 knight sshd[23583]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:02:32 knight sshd[23577]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!\nJul 23 16:11:56 knight sshd[23785]: Illegal user test from 193.145.87.3\nJul 23 16:11:57 knight sshd[23785]: Failed password for illegal user test from 193.145.87.3 port 37509 ssh2\nJul 23 16:11:57 knight sshd[23785]: error: Could not get shadow information for NOUSER\nJul 23 16:11:59 knight sshd[23787]: Illegal user guest from 193.145.87.3\nJul 23 16:12:00 knight sshd[23787]: Failed password for illegal user guest from 193.145.87.3 port 37599 ssh2\nJul 23 16:12:00 knight sshd[23787]: error: Could not get shadow information for NOUSER\n
Now about Aug 1st it got transformed into a streamlined scan:
Aug 1 18:27:45 knight sshd[20325]: Illegal user test from 218.49.183.17\nAug 1 18:27:46 knight sshd[20325]: Failed password for illegal user test from 218.49.183.17 port 48849 ssh2\nAug 1 18:27:46 knight sshd[20325]: error: Could not get shadow information for NOUSER\nAug 1 18:27:48 knight sshd[20327]: Illegal user guest from 218.49.183.17\nAug 1 18:27:49 knight sshd[20327]: Failed password for illegal user guest from 218.49.183.17 port 49090 ssh2\nAug 1 18:27:49 knight sshd[20327]: error: Could not get shadow information for NOUSER\nAug 1 18:27:52 knight sshd[20329]: Failed password for admin from 218.49.183.17 port 49266 ssh2\nAug 1 18:27:56 knight sshd[20331]: Failed password for admin from 218.49.183.17 port 49468 ssh2\nAug 1 18:27:58 knight sshd[20334]: Illegal user user from 218.49.183.17\nAug 1 18:27:59 knight sshd[20334]: Failed password for illegal user user from 218.49.183.17 port 49680 ssh2\nAug 1 18:27:59 knight sshd[20334]: error: Could not get shadow information for NOUSER\nAug 1 18:28:02 knight sshd[20336]: Failed password for root from 218.49.183.17 port 49869 ssh2\nAug 1 18:28:05 knight sshd[20347]: Failed password for root from 218.49.183.17 port 50063 ssh2\nAug 1 18:28:12 knight sshd[20349]: Failed password for root from 218.49.183.17 port 50245 ssh2\nAug 1 18:28:14 knight sshd[20352]: Illegal user test from 218.49.183.17\nAug 1 18:28:19 knight sshd[20352]: Failed password for illegal user test from 218.49.183.17 port 50671 ssh2\nAug 1 18:28:19 knight sshd[20352]: error: Could not get shadow information for NOUSER\nAug 1 18:29:55 knight sshd[20402]: Illegal user test from 218.49.183.17\nAug 1 18:29:56 knight sshd[20402]: Failed password for illegal user test from 218.49.183.17 port 52244 ssh2\nAug 1 18:29:56 knight sshd[20402]: error: Could not get shadow information for NOUSER\nAug 1 18:29:58 knight sshd[20404]: Illegal user guest from 218.49.183.17\nAug 1 18:30:02 knight sshd[20406]: Illegal user test from 218.49.183.17\nAug 1 18:30:03 knight sshd[20404]: Failed password for illegal user guest from 218.49.183.17 port 52416 ssh2\nAug 1 18:30:03 knight sshd[20404]: error: Could not get shadow information for NOUSER\nAug 1 18:30:03 knight sshd[20406]: Failed password for illegal user test from 218.49.183.17 port 52558 ssh2\nAug 1 18:30:03 knight sshd[20406]: error: Could not get shadow information for NOUSER\nAug 1 18:30:05 knight sshd[20439]: Failed password for illegal user guest from 218.49.183.17 port 52818 ssh2\nAug 1 18:30:05 knight sshd[20439]: Illegal user guest from 218.49.183.17\nAug 1 18:30:05 knight sshd[20439]: error: Could not get shadow information for NOUSER\nAug 1 18:30:06 knight sshd[20441]: Failed password for admin from 218.49.183.17 port 52851 ssh2\nAug 1 18:30:08 knight sshd[20443]: Failed password for admin from 218.49.183.17 port 53014 ssh2\nAug 1 18:30:09 knight sshd[20445]: Failed password for admin from 218.49.183.17 port 53040 ssh2\nAug 1 18:30:11 knight sshd[20447]: Failed password for admin from 218.49.183.17 port 53192 ssh2\nAug 1 18:30:11 knight sshd[20449]: Illegal user user from 218.49.183.17\nAug 1 18:30:12 knight sshd[20449]: Failed password for illegal user user from 218.49.183.17 port 53230 ssh2\nAug 1 18:30:12 knight sshd[20449]: error: Could not get shadow information for NOUSER\nAug 1 18:30:13 knight sshd[20451]: Illegal user user from 218.49.183.17\nAug 1 18:30:14 knight sshd[20451]: Failed password for illegal user user from 218.49.183.17 port 53404 ssh2\nAug 1 18:30:14 knight sshd[20451]: error: Could not get shadow information for NOUSER\nAug 1 18:30:14 knight sshd[20453]: Failed password for root from 218.49.183.17 port 53425 ssh2\nAug 1 18:30:21 knight sshd[20455]: Failed password for root from 218.49.183.17 port 53571 ssh2\nAug 1 18:30:22 knight sshd[20457]: Failed password for root from 218.49.183.17 port 53615 ssh2\nAug 1 18:30:24 knight sshd[20476]: Failed password for root from 218.49.183.17 port 54033 ssh2\nAug 1 18:30:24 knight sshd[20484]: Failed password for root from 218.49.183.17 port 54078 ssh2\nAug 1 18:30:26 knight sshd[20488]: Illegal user test from 218.49.183.17\nAug 1 18:30:27 knight sshd[20486]: Failed password for root from 218.49.183.17 port 54243 ssh2\nAug 1 18:30:27 knight sshd[20488]: Failed password for illegal user test from 218.49.183.17 port 54285 ssh2\nAug 1 18:30:27 knight sshd[20488]: error: Could not get shadow information for NOUSER\nAug 1 18:30:29 knight sshd[20490]: Illegal user test from 218.49.183.17\nAug 1 18:30:34 knight sshd[20490]: Failed password for illegal user test from 218.49.183.17 port 54423 ssh2\nAug 1 18:30:34 knight sshd[20490]: error: Could not get shadow information for NOUSER\nAug 1 18:35:53 knight sshd[20658]: Illegal user test from 218.49.183.17\nAug 1 18:35:54 knight sshd[20658]: Failed password for illegal user test from 218.49.183.17 port 39604 ssh2\nAug 1 18:35:54 knight sshd[20658]: error: Could not get shadow information for NOUSER\nAug 1 18:35:56 knight sshd[20660]: Illegal user guest from 218.49.183.17\nAug 1 18:35:57 knight sshd[20660]: Failed password for illegal user guest from 218.49.183.17 port 39811 ssh2\nAug 1 18:35:57 knight sshd[20660]: error: Could not get shadow information for NOUSER\nAug 1 18:36:00 knight sshd[20664]: Failed password for admin from 218.49.183.17 port 40009 ssh2\nAug 1 18:36:04 knight sshd[20666]: Failed password for admin from 218.49.183.17 port 40217 ssh2\nAug 1 18:36:06 knight sshd[20675]: Illegal user user from 218.49.183.17\nAug 1 18:36:11 knight sshd[20675]: Failed password for illegal user user from 218.49.183.17 port 40470 ssh2\nAug 1 18:36:11 knight sshd[20675]: error: Could not get shadow information for NOUSER\nAug 1 18:36:14 knight sshd[20677]: Failed password for root from 218.49.183.17 port 40973 ssh2\nAug 1 18:36:21 knight sshd[20679]: Failed password for root from 218.49.183.17 port 41159 ssh2\nAug 1 18:36:24 knight sshd[20681]: Failed password for root from 218.49.183.17 port 41541 ssh2\nAug 1 18:36:27 knight sshd[20683]: Illegal user test from 218.49.183.17\nAug 1 18:36:28 knight sshd[20683]: Failed password for illegal user test from 218.49.183.17 port 41630 ssh\nAug 1 18:36:28 knight sshd[20683]: error: Could not get shadow information for NOUSERSo, I have been tracking this a bit. Stumbled onto a neat little episode Archived mail from Dshield:
[link|http://lists.sans.org/pipermail/list/2004-July/061219.html|(Dshield) SSH Scanner?]
Seems to be someone trying a new TACK on SSH compromises.