Security Breach on my Linode !!
There is a security breach noticed on our Linode. We have received an alert says:
- adjc - (89567267) Change root password - [10204921] CentOS 7 Disk - Failed Tue, 03 Apr 2018 10:32:07 GMT
- adjc - (89567930) System Shutdown - Completed Tue, 03 Apr 2018 10:34:58 GMT
- adjc - (89568039) System Boot - My CentOS 7 Profile - Completed Tue, 03 Apr 2018 10:35:41 GMT
We ensure no one have the password or the authority to log in. How an unexpected shutdown & who/how/why the trial of changing password? Please explain the reason and provide us with the RCA on urgent basis!!! How can I trace the login in a specific time and trace it geographically to my Linode?
2 Replies
This is not an appropriate topic for a public forum. You should open a ticket - Linode will at least be able to tell you the IP address that was used to log in at the time coinciding with the scheduled jobs. Based on the order of operations here, it looks like they tried to change your root password from the Linode Manager - but failed because it was booted, then shut it down, then booted it again (it's weird that they didn't try to reset the root password again).
This is the community site, and is meant for general questions that the public community could chime in on. As such, this is not quite the right place for this issue, but if you open a support ticket, the Linode support staff would be happy to help further.
As for immediate actions, I would suggest that you reset your password and enable two-factor authentication, as these will deny access to any unwelcome guests and help secure your account going forward.