Hacked??!?!?!

I don't know what prompted me to look at my graphs this morning, but I saw something extremely unusual. I noticed that all 3 were a lot higher than usage, and the network outbound was at about 700 k/s for the past few HOURS. The first thought I had was that I was hacked. I ran a root kit and checked what I know how to check on the logs, but still really don't know what it could be. SSH does not allow root logins and there is a basic IPTables firewall setup, soon to add a "brute force blocker". I shutdown the server for an hour or so and fired it back up and all looked normal for a few hours until the CPU and IO went a little higher than normal. The Network was 0.

What do my plots indicate may have happened?

~~![](<URL url=)http://www.eld101.com/cpuplot.png" />

~~![](<URL url=)http://www.eld101.com/networkplot.png" />

~~![](<URL url=)http://www.eld101.com/ioplot.png" />

Any suggestions for logs or other places/things to check?

Thanks for the help…. I am a n00b!~~

3 Replies

Figure out what exactly is using the network…

Use a tool like iftop to figure out what ports the traffic is going over. Then use netstat to figure out what processes are running on those ports. top should tell you what's on the cpu pretty easily.

Thanks, I got IFTOP installed and it looks fairly easy to use….

fail2ban is your friend :-)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct