Need help with Restrict Network
Hello,
We have received a report of Malicious Activity originating from your Linode. This is most likely the result of a system compromise. If we have not heard from you within 24 hours, we may need to place network restrictions on your Linode to prevent further abuse.
In order to consider this resolved we will require the following from you:
Steps taken to prevent this activity from reoccurring
We're here to help provide guidance, but keep in mind that investigating this on your behalf is beyond the scope of our support, our Community Questions site can offer guidance in resolving this issue:
I've noticed some suspicious activity on my Linode, what do I do?
If you need additional assistance, you can always create your own post on our Community Questions site to get help from the Linode Community. If you determine that you are unable to resolve this issue yourself, we strongly suggest that you rebuild your Linode.
Please review the following update which will contain the original report we received. Once youve investigated and resolved this issue, please respond to this ticket.
Respectfully,
Richard S.
Linode Support Team
4 Replies
rgerke
Linode Staff
Hey there,
Since this is a public forum, I've removed the output that shows the IPs that are involved.
If network restrictions are placed on a Linode due to a Terms of Service violation, the issue would need to be investigated and resolved through that ticket in order for us to be able to remove the restrictions. We ask that you keep updating that ticket with your progress so we can work with you to get the situation resolved.
That said, I do want to help you out as best I can with some suggestions of how you can look into this.
If this is the result of a compromise, malware may have been placed on your Linode. A great way of finding it is by running a scan. There are some good utilities you can use, and my personal favorite is ClamAV, which is both free and thorough.
If you do find that your Linode has been compromised, we have another great guide that you can follow that will help you recover:
Recovering from a System Compromise
I'm going to again link the post that we gave in the ticket, because it's extremely thorough in the steps it gives you to use in troubleshooting situations like this:
I've noticed some suspicious activity on my Linode, what do I do?
If you run into any issues with the steps given in the above guides, let us know. This site is a great place to get help from the Linode Community members who may have run into similar situations before.
----------- SCAN SUMMARY -----------
Known viruses: 6953145
Engine version: 0.102.2
Scanned directories: 4
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 22.205 sec (0 m 22 s)
root@localhost:~#
Does it work borther?
rgerke
Linode Staff
Hello,
Since resolving this needs to be done via Support ticket, I recommend responding with your findings there. We're happy to help out as much as we can, but keeping the communication ( especially when it comes to account-specifics) in one place will make everything a lot easier to resolve.
That said, I believe we have found the associated ticket, and you'll be getting a response soon.
rgerke
Linode Staff
I wanted to provide an additional update -
When you get a result such as that from ClamAV, where it only scans a small amount of directories/files, it typically means that you're scanning while the Linode is booted normally. The scan should be run in Rescue Mode.
When running a scan of this nature, it should be scanning thousands of files. You can see by your output that it scanned just 1.