unexpected outgoing ssh traffic on web-fsn-01

We've received an abuse report from Hetzner on october 26th about multiple ssh connections originating from our IP for web-fsn-01 towards different IPs in the same block

               DateTime  Action AttackClass         SourceIP Srcport Protocol   DestinationIP DestPort
0  25-Oct-2024 02:21:35  DENIED              116.202.120.165   54913      TCP   202.91.162.67       22
1  25-Oct-2024 03:22:39  DENIED              116.202.120.165   61047      TCP  202.91.175.213       22
2  25-Oct-2024 06:03:28  DENIED              116.202.120.165   48646      TCP   202.91.162.17       22
3  25-Oct-2024 13:37:29  DENIED              116.202.120.165   29542      TCP   202.91.163.40       22
4  25-Oct-2024 15:23:45  DENIED              116.202.120.165    9025      TCP  202.91.160.148       22
5  25-Oct-2024 16:55:49  DENIED              116.202.120.165   16277      TCP  202.91.175.143       22

anarcat says that there is indeed traffic for port 22 flowing out of port 22 from the VM. there should not be anything on that host that permits some kind of forwarding. we need to investigate what's happening