Example:
Jun 2 17:46:42 benjo sshd[17291]: Bad protocol version identification 'GET
http://www.sciencedirect.com/ HTTP/1.1' from ::ffff:202.207.192.30
The IP in this case seems to be in China.
As far as I can tell nothing is listening at www.sciencedirect.com:22. The
web site on port 80 at www.sciencedirect.com is a self-proclaimed "digital
library" of some sort.
But why would random IPs be requesting sciencedirect.com at my workstation
which has nothing to do with it? Even for a worm that doesn't make any
sense.