Assorted notes

[1] All Hosts merged together" means every host from each participating site have had their numbers added together. Individual pages for each host are available under the "SSH HOSTS ATTACKS ALL PORTS" drop down menu. The same is similarly true for the other protocols being attacked

[2] Slideshow may not present properly on some mobile devices. If this is the case, please click "STOP", and you can manually progress through the slides.

[3] These hosts are apparently associated with a group known as "SSHPsycho" (Also known as the "Hee Thai campaign" or "Group 93") which Cisco and Level 3 have successfully blocked them. For more details, please see

[4] "Friends of SSHPsycho Login Attempts" are hosts that are using the same exact attack patterns as the hosts that Cisco has named "SSHPsycho". I have boiled down the list at into a list of hosts that have attacked more than once with the same attack pattern.

[5] "Associates of SSHPsycho Login Attempts" are hosts that are using certain passwords so far only seen from SSHPsycho, and have several large (and similar) attack patterns. While these sites have not yet used the exact same pattern as an SSHPsycho site, there are enough strong similarities that make them worth watching for future developments. While there are other attacks coming from the same class C subnets as these associates, LongTail is not yet including those attacks in the count of attacks from "Associates of SSHPsycho".

Subnets 222.186.134 and 222.186.21 have been added to this list based on similar accounts and passwords being tried from those subnets as from sshPsycho, as well as similar attack strategies of large attacks coming multiple times from hosts in those subnets. At this point this decision is based on "Feel", rather than on hard statistical evidence.

[6] The link "Today's Root Password" is a link to a text file containing a "password" that changes daily. This is an attempt to see if any of the sites scanning for password files "take the bait", and then actually use it. Since the password contains a date, I can measure that against when password was created, and how long it is until I see that same password in LongTail's log files.

[7] I am calling the attackers coming from the class C networks 43.229.52*, 43.229.53*, 43.255.188*, and 43.255.189* "SSHPsycho-2". This is based on their extreme similarities to SSHPsycho. Mainly:

  1. An absolutely insane number of attacks coming from these IP addresses. (Just like SSHPsycho).
  2. Their location in China/Hong Kong. (Just like SSHPsycho).
  3. That they are only looking for root accounts (so far). (Just like SSHPsycho).
  4. That their ssh client string is PUTTY. (Just like SSHPsycho).
  5. That some of their "attack patterns" are exactly the same as SSHPsycho.

LongTail Copyright 2015 by Eric Wedaa, under GPLV2