I'm seeing traces of a massive and coordinated ssh dictionary attack. Talking on irc and checking usenet about it shows the same names being tried at the same time in the US, England and Japan, and mentioned IPs also showing up at other times on hosts. For example, from two hosts with adjacent IPs:Nov 26 14:52:16 idefix sshd[63866]: Illegal user cleopatra from 85.207.120.188 Nov 26 14:52:16 idefix sshd[63866]: Failed unknown for illegal user cleopatra from 85.207.120.188 port 55938 ssh2 Nov 26 14:52:16 web-3 sshd[63867]: Illegal user cleopatra from 85.207.120.188 Nov 26 14:52:16 web-3 sshd[63867]: Failed unknown for illegal user cleopatra from 85.207.120.188 port 55939 ssh2One funky botnet at work? Trying to find unix boxes for mischief?A web search yields more mention of the IP above at What is with the script kiddies tonight??.