So I received the following from my ISP. I received 4 other ones last week, and I believe that I have identified the machine. It's a desktop PC running Linux Mint. I'm okay with Linux, I've run a couple of headless servers before, and used ubuntu as a daily driver for a couple years, but outside of tasks I needed to complete my knowledge is not high. I can't find anything in any logs that indicates this activity, but I'll be honest, I don't even know how deep I'm looking. I also have no idea where I could have picked up a script like this either.

​

I'm likely gonna just nuke the machine, and get a new IP address from my ISP, but I'd like to try and isolate this first. My IP has been redacted, but everything is there otherwise. The previous failed attacks were all trying to breach german IPs, I can post those too if they would help.

​

​

​

A device using your connection attempted to access another network without authorization.

Apr 18 16:02:58 li352-240 sshd[2818468]: pam_unix(sshd:auth): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXX  user=root
Apr 18 16:03:00 li352-240 sshd[2818468]: Failed password for root from XXXXX port 51808 ssh2
Apr 18 16:03:01 li352-240 sshd[2818468]: Received disconnect from XXXXX port 51808:11: Bye Bye [preauth]
Apr 18 16:03:01 li352-240 sshd[2818468]: Disconnected from authenticating user root XXXXX port 51808 [preauth]
Apr 18 16:03:02 li352-240 sshd[2818491]: pam_unix(sshd:auth): authentication failure\; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXX  user=root..........