Finding the the cause of malicious activity
I have just inherited this server, so I am not familiar with all the sites hosted on it or with Linode in general.
How should I find the source of this activity? Where do I start?
2 Replies
You can check the output of ps aux to see if there's anything odd looking running, as for the sites that really depends on what they are, if they're open source i.e. wordpress etc make sure they're up to date if they're not that could be the cause.
Either way you're going to have to replace the server if it is doing something malicious, once compromised the only safe way to fix the problem is to start fresh (and of course patch whatever allowed the server to be compromised in the first place).
#!/bin/sh
A="/var/log"
test -f $A/messages && (grep --text ssh $A/messages|grep --text -i invalid)
test -f $A/messages && (grep --text ssh $A/messages|grep --text -i fail)
test -f $A/messages && (grep --text ssh $A/messages|grep --text -i error)
test -f "$A/auth.log" && (grep --text -i fail $A/auth.log*)
test -f "$A/auth.log" && (grep --text -i "Did not receive identification string from" $A/auth.log*)
test -f $A/secure && (grep --text -i fail $A/secure | grep --text -v /home/diltonm)
I'd thought one day I might clean up that output and merge it with a git approach to detect differences and email to them to me automatically, might still do that.