The Avast test is also different from the unidentified … EDIT: I added a log of the whole attack to the first post
Mar 6 19:37:36 Turris_JB sshd[12973]: error: kex_exchange_identification: Connection closed by remote host
Mar 6 19:37:36 Turris_JB sshd[12973]: Connection closed by 192.168.2.120 port 52663
Mar 6 19:38:11 Turris_JB sshd[13136]: Received disconnect from 192.168.2.120 port 52786:11: [preauth]
Mar 6 19:38:11 Turris_JB sshd[13136]: Disconnected from 192.168.2.120 port 52786 [preauth]
Mar 6 19:38:49 Turris_JB ATLAS[2427]: condmv: not moving, destination '/usr/libexec/atlas-probe-scripts/data/out/v6addr.txt' exists
Mar 6 19:38:49 Turris_JB ATLAS[2427]: condmv: not moving, destination '/usr/libexec/atlas-probe-scripts/data/out/simpleping' exists
Mar 6 20:39:05 Turris_JB dnsmasq-dhcp[4629]: DHCPINFORM(br-lan) 192.168.2.120 d8:bb:c1:ec:e9:06
Mar 6 20:39:05 Turris_JB dnsmasq-dhcp[4629]: DHCPACK(br-lan) 192.168.2.120 d8:bb:c1:ec:e9:06 Lenovo
Mar 6 19:39:13 Turris_JB sshd[13449]: error: kex_exchange_identification: Connection closed by remote host
Mar 6 19:39:13 Turris_JB sshd[13449]: Connection closed by 192.168.2.120 port 52897
Mar 6 19:39:49 Turris_JB sshd[13603]: error: kex_exchange_identification: Connection closed by remote host
Mar 6 19:39:49 Turris_JB sshd[13603]: Connection closed by fd05:952:23ca:0:355d:2ee6:c78d:d0de port 53704
Mar 6 19:40:01 Turris_JB crond[13660]: (root) CMD (/usr/bin/notifier)
Mar 6 19:40:01 Turris_JB crond[13659]: (root) CMDOUT (There is no message to send.)
Mar 6 19:40:01 Turris_JB crond[13659]: (root) CMDEND (/usr/bin/notifier)
Mar 6 19:40:25 Turris_JB sshd[13805]: Received disconnect from 192.168.2.120 port 54080:11: [preauth]
Mar 6 19:40:25 Turris_JB sshd[13805]: Disconnected from 192.168.2.120 port 54080 [preauth]