ssh_exchange_identification: Connection closed by remote hostReinstalling helped, but only for so long. It turns out that I had a worm on my iPhone and that I was to blame, because my root password was still the default password.
Weird, because I make it a point to change them right away. But as it turns out, my last two firmware updates weren't restores but regular updates, and I jailbroke right away. My stupid self assumed that the passwords I had set were still the same, and not reset to the default ones. It turns out they were. Why did it take a while for me to notice since I regularly ssh into my iPhone? I use keyfiles, which I now hope weren't compromised.
Anyway, the guide is below, remove that worm and change your password. Also, it turns out there are variants of this worm in the wild, which require a different removal procedure, but now that you know it's a worm, using that keyword in your search should help you find the solution instantly.
Delete these files:
/ System / Library / LaunchDaemons / com.ikey.bbot.plist
/ bin / poc-bbot
Technical Information (Analysis)
Worm:iPhoneOS/Ikee.C is a worm that uses the default root password in SSH in order to spread among jail-broken iPhones. The worm also changes the affected machine's background image.
When run on an iPhone, this worm takes the following actions:
1. Attempts to set a file lock at /var/lock/bbot.lock in order to verify that only one copy of the worm runs at a time.
2. Attempts to copy the file /var/log/youcanbeclosertogod.jpg to /var/mobile/Library/LockBackground.jpg
3. Removes the /usr/sbin/sshd directory and stops the SSH daemon.
4. Attempts to spread using several hard-coded IP ranges.
When the worm infects a remote host, it does so by copying /bin/poc-bbot, /bin/sshpass and /var/log/youcanbeclosertogod.jpg from the local system to the remote system. It also copies /var/log/youcanbeclosertogod.jpg to /var/mobil/Library/LockBackground.jpg on the remote system.
The file /System/Library/LaunchDaemons/com.ikey.bbot.plist is also copied to the remote system and the following command is run:
"launchctl load /System/Library/LaunchDaemons/com.ikey.bbot.plist"
This command is used to load the worm remotely, and to add it to startup on reboot on the remote machine.
The worm then remotely stops the SSH daemon and deletes the automatic start on reboot option for the SSH service.