A *lot* of stuff is happening on tcp:22 ssh these days:
"There are multiple vulnerabilities in several implementations of the Secure Shell (SSH) protocol. While these problems have been previously disclosed, we believe many system and network administrators may have overlooked one or more of these vulnerabilities. We are issuing this document primarily to encourage system and network administrators to check their systems, prior to the holiday break, for exposure to each of these vulnerabilities. The CERT/CC is still seeing active scanning and exploitation of vulnerabilities related to SSH."
snort2html.plx: Feb 23 09:18:06 - snort [1:0:0] TCP to 22 ssh Source IP: 22.214.171.124 Source port: 22 Source host: 126.96.36.199 Target IP: 188.8.131.52 Target port: 22 Proto: TCP Target host: 108.seattle-11-12rs.wa.dial-access.att.net =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ snort: 02/23-09:18:06.568113 184.108.40.206:22 -> 220.127.116.11:22 TCP TTL:118 TOS:0x0 ID:40935 IpLen:20 DgmLen:40 ******S* Seq: 0x3B05B5DD Ack: 0x5185E29A Win: 0xA7FB TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ipchains: Feb 23 09:18:06 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 18.104.22.168:22 22.214.171.124:22 L=40 S=0x00 I=40935 F=0x0000 T=118 SYN (#64) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ p0f: Sat Feb 23 09:18:06 2002 126.96.36.199: UNKNOWN [43003:118:0:0:-1:0:0:40]. 188.8.131.52:22 -> 184.108.40.206:22 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ host: [toot@sparky /storage/snort/old_snorts/022302]# host 220.127.116.11 Host 18.104.22.168.in-addr.arpa. not found: 3(NXDOMAIN) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ whois: BW whois 2.9 by Bill Weinman (http://whois.bw.org/) © 1999-2001 William E. Weinman Request: 22.214.171.124 connecting to whois.arin.net [126.96.36.199:43] ... connecting to whois.ripe.net [188.8.131.52:43] ... % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 184.108.40.206 - 220.127.116.11 netname: NO-LEIF-HOEGH-CO-NET descr: Leif Hoegh & Co country: NO admin-c: TM74-RIPE tech-c: TM74-RIPE source: RIPE route: 18.104.22.168/17 descr: Nextra, Postboks 393 - Skoyen, N-0212 Oslo, Norway origin: AS2119 source: RIPE person: Tore Mioen address: Leif Hoegh & Co AS address: Wergelandsveien 1 address: Postboks 2596, Solli address: N-0203 Oslo address: Norway phone: +47 22 86 99 10 fax-no: +47 22 86 99 03 e-mail: email@example.com nic-hdl: TM74-RIPE source: RIPE