Strange connections outgoing SSH connections (to China!?) after startup/git install

August 26, 2013 4.3k views
I just started a ubuntu 12 droplet, installed a private git server per the tutorial, did a netstat. and got: tcp 0 0 :12683 ESTABLISHED tcp 0 0 ESTABLISHED tcp 0 352 **MYIP**.:2454 ESTABLISHED tcp 0 0 ESTABLISHED is owned by CHINANET-SCIDC-AS-AP CHINANET SiChuan Telecom Internet Data Center What gives?
5 Answers
Is it a new droplet? Does anyone else have access to your droplet/digitalocean account/email account?
Brand new droplet. Account set up ~1 hour ago. droplet < 30 mins old at this point. Nothing else done on droplet except apt-get update; install git (per tutorial) and set up private git server (per tutorial) and a few pings and traceroutes.

I'm wondering if this is a virtualization problem (previous user). The SSH connections disappeared after a minute or two. Or possibly apt-get install git-core pulled down something from this IP address.
Could have been an incoming attack in progress. http://www.blocklist.de/fr/view.html?ip=
reports the IP address as being used for SSH probes. Unfortunately I've no way to edit the typo in the title - it should have read "Strange SSH connections (to China) after startup/git install. It looks from the netstat that they were incoming.
It's a possible SSH attack attempt. You shouldn't worry about it -- just make sure you don't use a weak password :] (or not use passwords at all and set up SSH keys).
SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.

I met the same problem, I don't know what is that.
lsof -i gives me:

sshd      26054       root    3u  IPv4 4317876      0t0  TCP atlas:ssh-> (ESTABLISHED)
sshd      26055       sshd    3u  IPv4 4317876      0t0  TCP atlas:ssh-> (ESTABLISHED)

Changes root password for security

Have another answer? Share your knowledge.