The attack tries a few thousand login/passwords, looking for weak accounts:
Aug 15 09:49:06 localhost sshd[11162]: Failed password for invalid user unicorn123 from ::ffff:202.222.28.85 port 55650 ssh2
Aug 15 09:49:07 localhost sshd[11164]: Invalid user a from ::ffff:202.222.28.85
Aug 15 09:49:10 localhost sshd[11164]: Failed password for invalid user a from ::ffff:202.222.28.85 port 56027 ssh2
Aug 15 09:49:11 localhost sshd[11166]: Invalid user unix from ::ffff:202.222.28.85
Aug 15 09:49:13 localhost sshd[11166]: Failed password for invalid user unix from ::ffff:202.222.28.85 port 56408 ssh2
Aug 15 09:49:14 localhost sshd[11168]: Invalid user unix123 from ::ffff:202.222.28.85
Aug 15 09:49:17 localhost sshd[11168]: Failed password for invalid user unix123 from ::ffff:202.222.28.85 port 56791 ssh2
Aug 15 09:49:18 localhost sshd[11170]: Invalid user a from ::ffff:202.222.28.85
Aug 15 09:49:20 localhost sshd[11170]: Failed password for invalid user a from ::ffff:202.222.28.85 port 57152 ssh2
Yadda yadda yadda. I've been seeing 5-10 attacks from new IPs per day, every one running through a list of accounts. This IP tried over 3,000 logins. 2-3 seconds apart. It seems to pick up new weak accounts from /etc/passwd on the machines it exploits, adding them to the list of new accounts to try. Most of the attacks seem to come from overseas.
You're fine as long as your passwords are strong, but it could pretty easily escalate to a denial of service if this keeps spreading.