Question

Strange connections outgoing SSH connections (to China!?) after startup/git install

  • Posted on August 26, 2013
  • mbellAsked by mbell

I just started a ubuntu 12 droplet, installed a private git server per the tutorial, did a netstat. and got: tcp 0 0 192.241.251.230:ssh :12683 ESTABLISHED tcp 0 0 192.241.251.230:ssh 218.89.168.144:13254 ESTABLISHED tcp 0 352 192.241.251.230:ssh MYIP.:2454 ESTABLISHED tcp 0 0 192.241.251.230:ssh 218.89.168.144:10474 ESTABLISHED

219.89.168.144 is owned by CHINANET-SCIDC-AS-AP CHINANET SiChuan Telecom Internet Data Center

What gives?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

I am also an attorney and will report this data breach to the proper authorities if necessary. I have taken reasonable security measures on my end. Please explain how an established connection translates to attempted brute force and not successful attacks.

I am seeing the same issues. I am a professional full time pen tester. This absolutely cannot happen on my system! I have researched the IPs and some are malicious. It also says the connections are established and an established connection sounds like a successful attack. Despite editing my config file to only allow ssh connections from designated IP addresses and killing processes by PID the connections still reappear and are still there. I have maldetect and ESOT neither detects malware on the system and I do not see any strange files. I have changed my password from an already complex password to an even longer yet established connections persist. I need clarification as soon as possible. It would be huge pain to switch my entire setup over to AWS or other competitors and I would rather not do this but I will pay more money for better security.

I met the same problem, I don’t know what is that. lsof -i gives me:

sshd      26054       root    3u  IPv4 4317876      0t0  TCP atlas:ssh->126.30.65.218.broad.xy.jx.dynamic.163data.com.cn:58888 (ESTABLISHED)
sshd      26055       sshd    3u  IPv4 4317876      0t0  TCP atlas:ssh->126.30.65.218.broad.xy.jx.dynamic.163data.com.cn:58888 (ESTABLISHED)

Changes root password for security