I was doing my thing and lost connection in one terminal so I did a 'show users' to clear the line I just dropped. What I saw was very scary:

Router#sh run | i user

username user1 privilege 15 secret 5

username user2 privilege 15 secret 5

username user3 privilege 15 secret 5

Router#sh users

Line User Host(s) Idle Location

2 vty 0 leroy123 idle 00:00:03 118.85.105.34

4 vty 2 a idle 00:00:03 118.85.105.34

* 6 vty 4 user1 idle 00:00:00 mybox.domain.com

Interface User Mode Idle Peer Address

Se1/0 Sync PPP 00:00:00 192.168.57.2

Router#sh users

Line User Host(s) Idle Location

2 vty 0 a idle 00:00:02 118.85.105.34

3 vty 1 maggot idle 00:00:02 118.85.105.34

* 6 vty 4 user1 idle 00:00:00 mybox.domain.com

Interface User Mode Idle Peer Address

Se1/0 Sync PPP 00:00:00 192.168.57.2

Router#sh users

Line User Host(s) Idle Location

2 vty 0 a idle 00:00:02 118.85.105.34

3 vty 1 maggot123 idle 00:00:02 118.85.105.34

* 6 vty 4 user1 idle 00:00:00 mybox.domain.com

Interface User Mode Idle Peer Address

Se1/0 Sync PPP 00:00:00 192.168.57.2

Router#sh users

Line User Host(s) Idle Location

2 vty 0 a idle 00:00:03 118.85.105.34

3 vty 1 a idle 00:00:03 118.85.105.34

* 6 vty 4 user1 idle 00:00:00 mybox.domain.com

Interface User Mode Idle Peer Address

Se1/0 Sync PPP 00:00:00 192.168.57.2

As you can see the usernames change frequently. I don't have any kind of external authentication... only local usernames. The IP address is from APNIC and I don't have any associations with anyone in China. What in the world is going on?

EDIT:Well, I scared myself. Looks like it was just an SSH bruteforce attack. They stopped when I added an access-list to block them.