ToS Violation - Suspected Botnet Activity. How do i do?

Hi community,

I received a ticket ToS Violation - Suspected Botet Activity on my node. Can some one please help to fix it?

Below is the message i received

time in UTC)=2020-09-07T04:43:36 (attacker's IP)=66.228.40.192 (IP being scanned)=185^164^137^31 (TCP port being scanned)=201
(time in UTC)=2020-09-07T04:48:39 (attacker's IP)=66.228.40.192 (IP being scanned)=199^188^100^70 (TCP port being scanned)=6833
(time in UTC)=2020-09-07T04:48:48 (attacker's IP)=66.228.40.192 (IP being scanned)=219^91^60^59 (TCP port being scanned)=808
(time in UTC)=2020-09-07T04:50:25 (attacker's IP)=66.228.40.192 (IP being scanned)=45^138^96^240 (TCP port being scanned)=2065
(time in UTC)=2020-09-07T04:52:33 (attacker's IP)=66.228.40.192 (IP being scanned)=91^208^184^50 (TCP port being scanned)=4331

1 Reply

Hey @administratornjangui - often times, unexpected activity like this usually can mean that your Linode has been compromised. The traffic you're seeing above is showing logs of port scanning originating from your Linode server.

The good news is that there are some steps you can take to look into the issue and potentially recover from the compromise. I'm including some links below that should help you get started with your investigation.

From our docs & guides, this tutorial includes steps to rebuild your server: Recovering from a System Compromise

Also from our docs, this guide shows you how to restore from a backup. If you have a backup from before the compromise, this is a great way to go: The Linode Backup Service: Restore from a Backup

From our Community site, this post discusses how to start your investigation: I've noticed some suspicious activity on my Linode, what do I do?

This Community post also discusses how to move forward if your Linode has network restrictions enabled: How do I fix a Linode with network restrictions in place

After you've finished your investigation and have mitigated the issue, I'd recommend going through some of the steps in our Securing Your Server guide, including limiting root access, setting up public key authentication, and removing unnecessary network services: Securing Your Server

I know that server compromises can be daunting, but I hope this helps. If your ticket is still open, remember to let our Support team know that you're looking into the issue.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct