I'm seeing what appears to be SSH access attempts on our perimeter
firewall (runnnig OpenBSD, naturally ;-), from the address range
122.212.220.112/28 that are targeting local systems. The addresses in this
range are apparently registered with host names of the form
-ssh-version-mapping-project.openssh.com, where represents the last
octet of the IP address. The only reference to the "SSH version mapping
project" I can find via Google are a couple dumps of port scanning statistics,
referencing the same address range. According to JPNIC (e.g.
http://whois.nic.ad.jp/cgi-bin/whois_gw), this address range is assigned to
"Open BSD Support Japan Inc." I found a reference to scanssh at
http://www.openssh.com/usage/index.html, but that says repeated attempts to
access a system won't be made, yet the traffic I'm seeing reveals multiple
connection attempts to the same local machines. I suspect the host names and
registration are bogus and the behavior malicious. Can anyone verify/refute
this?

Regards,
Mike
--
| Systems Specialist: CBE,MSE
Michael T. Davis (Mike) | Departmental Networking/Computing
http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
| 197 Watts, (614) 292-6928