A *lot* of stuff is happening on tcp:22 ssh these days:
"There are multiple vulnerabilities in several implementations of the Secure Shell (SSH) protocol. While these problems have been previously disclosed, we believe many system and network administrators may have overlooked one or more of these vulnerabilities. We are issuing this document primarily to encourage system and network administrators to check their systems, prior to the holiday break, for exposure to each of these vulnerabilities. The CERT/CC is still seeing active scanning and exploitation of vulnerabilities related to SSH."
snort2html.plx: Feb 23 09:18:06 - snort [1:0:0] TCP to 22 ssh Source IP: 126.96.36.199 Source port: 22 Source host: 188.8.131.52 Target IP: 184.108.40.206 Target port: 22 Proto: TCP Target host: 108.seattle-11-12rs.wa.dial-access.att.net =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ snort: 02/23-09:18:06.568113 220.127.116.11:22 -> 18.104.22.168:22 TCP TTL:118 TOS:0x0 ID:40935 IpLen:20 DgmLen:40 ******S* Seq: 0x3B05B5DD Ack: 0x5185E29A Win: 0xA7FB TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ipchains: Feb 23 09:18:06 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 22.214.171.124:22 126.96.36.199:22 L=40 S=0x00 I=40935 F=0x0000 T=118 SYN (#64) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ p0f: Sat Feb 23 09:18:06 2002 188.8.131.52: UNKNOWN [43003:118:0:0:-1:0:0:40]. 184.108.40.206:22 -> 220.127.116.11:22 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ host: [toot@sparky /storage/snort/old_snorts/022302]# host 18.104.22.168 Host 22.214.171.124.in-addr.arpa. not found: 3(NXDOMAIN) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ whois: BW whois 2.9 by Bill Weinman (http://whois.bw.org/) © 1999-2001 William E. Weinman Request: 126.96.36.199 connecting to whois.arin.net [188.8.131.52:43] ... connecting to whois.ripe.net [184.108.40.206:43] ... % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 220.127.116.11 - 18.104.22.168 netname: NO-LEIF-HOEGH-CO-NET descr: Leif Hoegh & Co country: NO admin-c: TM74-RIPE tech-c: TM74-RIPE source: RIPE route: 22.214.171.124/17 descr: Nextra, Postboks 393 - Skoyen, N-0212 Oslo, Norway origin: AS2119 source: RIPE person: Tore Mioen address: Leif Hoegh & Co AS address: Wergelandsveien 1 address: Postboks 2596, Solli address: N-0203 Oslo address: Norway phone: +47 22 86 99 10 fax-no: +47 22 86 99 03 e-mail: firstname.lastname@example.org nic-hdl: TM74-RIPE source: RIPE