mbell
By:
mbell

Strange connections outgoing SSH connections (to China!?) after startup/git install

August 26, 2013 3.6k views
I just started a ubuntu 12 droplet, installed a private git server per the tutorial, did a netstat. and got: tcp 0 0 192.241.251.230:ssh :12683 ESTABLISHED tcp 0 0 192.241.251.230:ssh 218.89.168.144:13254 ESTABLISHED tcp 0 352 192.241.251.230:ssh **MYIP**.:2454 ESTABLISHED tcp 0 0 192.241.251.230:ssh 218.89.168.144:10474 ESTABLISHED 219.89.168.144 is owned by CHINANET-SCIDC-AS-AP CHINANET SiChuan Telecom Internet Data Center What gives?
5 Answers
Is it a new droplet? Does anyone else have access to your droplet/digitalocean account/email account?
Brand new droplet. Account set up ~1 hour ago. droplet < 30 mins old at this point. Nothing else done on droplet except apt-get update; install git (per tutorial) and set up private git server (per tutorial) and a few pings and traceroutes.

I'm wondering if this is a virtualization problem (previous user). The SSH connections disappeared after a minute or two. Or possibly apt-get install git-core pulled down something from this IP address.
Could have been an incoming attack in progress. http://www.blocklist.de/fr/view.html?ip=218.89.168.144
reports the IP address as being used for SSH probes. Unfortunately I've no way to edit the typo in the title - it should have read "Strange SSH connections (to China) after startup/git install. It looks from the netstat that they were incoming.
It's a possible SSH attack attempt. You shouldn't worry about it -- just make sure you don't use a weak password :] (or not use passwords at all and set up SSH keys).
by Etel Sverdlov
SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.

I met the same problem, I don't know what is that.
lsof -i gives me:

sshd      26054       root    3u  IPv4 4317876      0t0  TCP atlas:ssh->126.30.65.218.broad.xy.jx.dynamic.163data.com.cn:58888 (ESTABLISHED)
sshd      26055       sshd    3u  IPv4 4317876      0t0  TCP atlas:ssh->126.30.65.218.broad.xy.jx.dynamic.163data.com.cn:58888 (ESTABLISHED)

Changes root password for security

Have another answer? Share your knowledge.