unexpected outgoing ssh traffic on web-fsn-01
We've received an abuse report from Hetzner on october 26th about multiple ssh connections originating from our IP for web-fsn-01 towards different IPs in the same block
DateTime Action AttackClass SourceIP Srcport Protocol DestinationIP DestPort
0 25-Oct-2024 02:21:35 DENIED 116.202.120.165 54913 TCP 202.91.162.67 22
1 25-Oct-2024 03:22:39 DENIED 116.202.120.165 61047 TCP 202.91.175.213 22
2 25-Oct-2024 06:03:28 DENIED 116.202.120.165 48646 TCP 202.91.162.17 22
3 25-Oct-2024 13:37:29 DENIED 116.202.120.165 29542 TCP 202.91.163.40 22
4 25-Oct-2024 15:23:45 DENIED 116.202.120.165 9025 TCP 202.91.160.148 22
5 25-Oct-2024 16:55:49 DENIED 116.202.120.165 16277 TCP 202.91.175.143 22
anarcat says that there is indeed traffic for port 22 flowing out of port 22 from the VM. there should not be anything on that host that permits some kind of forwarding. we need to investigate what's happening