The last few weeks I have noticed some illicit ssh login attempts that uses parts of the reverse DNS domain name as user name when it tries to login. The last attempt looked like this in my LogWatch summary:
Illegal users from these:
18.104.22.168 (aquila.euroexpert.tvnet.hu): 9 times
root/password: 4 times
cenara/password: 2 times
ip-83-209-13-88/password: 2 times
ip-83-209-13-88.cenara.com/password: 1 time
As you can see, the secondary and tertiary domain name, along with the full domain name, was tried as user name when attempting to login. I guess that the attack script tries with a blank password and also with the same password as user name.