[CentOS] CentOS6 - Break in attempt? What is the Exploit?

Mon Sep 21 08:29:08 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

This morning's log review revealed this sshd log entry on one of our
web services hosts:

 Received disconnect:
    11: disconnected by user : 2 Time(s)
    3: com.jcraft.jsch.JSchException: reject HostKey: :
1 Time(s)

The IP address used is that of a public facing database query page for
our freight transit information. It is itself a virtual IP address
hosted on the system reporting the error.  In other words, if this
were a legitimate connection then the situation would be that of an
ssh client connecting to an sshd server running on the same host
albeit each using a different IP address.  In other words, the
hostkeys would be identical.

It seems to me that someone attempted an ssh connection while spoofing
our internal address.  Is such a thing even possible? If so then how
does it work?

What is com.jcraft.jsch?

***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3