All Hosts merged together" means every host from each participating site
have had their numbers added together. Individual pages for each host are
available under the "SSH HOSTS ATTACKS ALL PORTS" drop down menu. The same
is similarly true for the other protocols being attacked
 Slideshow may not present properly on some mobile devices. If this
is the case, please click "STOP", and you can manually progress through
 These hosts are apparently associated with a group known as "SSHPsycho"
(Also known as the "Hee Thai campaign" or "Group 93")
which Cisco and Level 3 have successfully blocked them. For more details, please
 "Friends of SSHPsycho Login Attempts" are hosts that are using the same exact
attack patterns as the hosts that Cisco has named "SSHPsycho". I have boiled down
the list at
http://longtail.it.marist.edu/honey/SSHPsycho.shtml into a list of hosts
that have attacked more than once with the same attack pattern.
 "Associates of SSHPsycho Login Attempts" are hosts that are using certain
passwords so far only seen from SSHPsycho, and have several large (and similar) attack patterns.
While these sites have not yet used the exact same pattern as an SSHPsycho
site, there are enough strong similarities that make them worth watching for
future developments. While there are other attacks coming from the same class C
subnets as these associates, LongTail is not yet including those attacks in the count
of attacks from "Associates of SSHPsycho".
Subnets 222.186.134 and 222.186.21 have been added to this list based on
similar accounts and
passwords being tried from those subnets as from sshPsycho, as well as similar attack
strategies of large attacks coming multiple times from hosts in those subnets.
At this point this decision is based on "Feel", rather than on hard statistical evidence.
 The link "Today's Root Password" is a link to a text file containing a "password"
that changes daily. This is an attempt to see if any of the sites scanning for password
files "take the bait", and then actually use it. Since the password contains a date, I
can measure that against when password was created, and how long it is until I see that
same password in LongTail's log files.
 I am calling the attackers coming from the class C networks 43.229.52*, 43.229.53*,
43.255.188*, and 43.255.189* "SSHPsycho-2". This is based on their extreme
similarities to SSHPsycho. Mainly:
An absolutely insane number of attacks coming from these IP addresses. (Just like SSHPsycho).
Their location in China/Hong Kong. (Just like SSHPsycho).
That they are only looking for root accounts (so far). (Just like SSHPsycho).
That their ssh client string is PUTTY. (Just like SSHPsycho).
That some of their "attack patterns" are exactly the same as SSHPsycho.
LongTail Copyright 2015 by Eric Wedaa, under GPLV2