Talos has been monitoring a persistent threat known as SSHPsychos or Group 93. Two class C networks have been generating unequalled amounts of SSH login attempts to every host that is listening. Talos and Level 3 Communications took action to help ensure a significantly larger portion of the Internet is also protected. The behavior consists of large amounts of. SSH brute force login attempts from 103.41.124.0/23, only attempting to guess the password for the root user, with over 300,000 unique passwords. After login is achieved a wget request is sent outbound for a single file which has been identified as a DDoS rootkit.”]
Source: https://blog.talosintelligence.com/2015/04/threat-spotlight-sshpsychos.html