I've noticed some suspicious activity on my Linode, what do I do?
I've noticed my Linode recently had a sharp increase in outbound traffic and I am not certain why. What can I do to investigate this?
9 Replies
You may have been the victim of a compromise on your system. This occasionally happens, and there are some steps you can take to investigate this and find the cause. If you believe that your Linode has been compromised, you can start troubleshooting by auditing the following log files and writable directories:
/var/log/auth.log
: Check this log file for signs of unauthorized access and brute-force attempts. Use the ‘last’ command to cross reference recent account logins with this file./tmp
: This directory is often used by malicious parties to store files- Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
ps aux
: Use this command to audit running processes for foreign processes
If those do not help you, I do have some more quick tips and links for next steps you could take:
Run Linux antivirus software. Here are some examples:
If you do discover your Linode has been compromised, I would recommend taking a look at our Recovering from a System Compromise Guide. I would also recommend taking a look at the following guides to help prevent future compromises to your Linode:
- Securing Your Server
- Linux Security Basics
- Controlling your Network Traffic With iptables
- Using Fail2Ban For Security
I hope this helps point you in the right direction. If you have any other questions, comments, or concerns, please feel free to respond here on the Community Site and someone may be able to help direct you.
On Centos here is no file /var/log/auth.log
:
ls -l /var/log
total 456
drwxr-xr-x. 2 root root 4096 Sep 25 14:54 anaconda
drwx------. 2 root root 4096 Dec 28 09:28 audit
-rw-------. 1 root root 9959 Dec 28 09:28 boot.log
-rw-rw----. 1 root utmp 8448 Dec 28 09:54 btmp
-rw-------. 1 root root 971 Dec 28 10:01 cron
-rw-r--r--. 1 root root 173291 Dec 28 10:00 dnf.librepo.log
-rw-r--r--. 1 root root 37510 Dec 28 10:00 dnf.log
-rw-r--r--. 1 root root 8336 Dec 28 10:00 dnf.rpm.log
drwxr-x---. 2 exim exim 4096 Nov 19 13:15 exim
-rw-r-----. 1 root root 0 Dec 28 09:28 firewalld
-rw-r--r--. 1 root root 9649 Dec 28 10:00 hawkey.log
-rw-rw-r--. 1 root utmp 291708 Dec 28 10:01 lastlog
-rw-------. 1 root root 0 Sep 25 14:49 maillog
-rw-------. 1 root root 105820 Dec 28 10:01 messages
drwx------. 2 root root 4096 Sep 25 14:54 private
drwxr-xr-x. 2 root root 4096 Sep 25 14:54 qemu-ga
-rw-r--r--. 1 root root 1040 Jul 1 15:29 README
drwxr-xr-x. 2 root root 4096 Dec 28 09:28 sa
-rw-------. 1 root root 20283 Dec 28 10:01 secure
-rw-------. 1 root root 0 Sep 25 14:49 spooler
drwxr-x---. 2 sssd sssd 4096 Dec 28 09:28 sssd
drwxr-xr-x. 2 root root 4096 Dec 28 09:28 tuned
-rw-rw-r--. 1 root utmp 4224 Dec 28 10:01 wtmp
Hello @dmitri14! The correct log on CentOS will be /var/log/secure
. Hope this helps!
- Run Linux antivirus software. Here are some >examples:
ClamAV
Maldet
RootkitHunter
Chkrootkit
We recently made an update to rescue mode that reduces some effort when it comes to using ClamAV. You no longer need to download it, but can run a preloaded script. The below is an excerpt from our updated guide on scanning for system vulnerabilities with ClamAV:
From the Finnix rescue mode, run the automated script using the following command:
linode_clam
If you need to scan your system for vulnerabilities and ClamAV isn't playing nicely, we just posted instructions on installing and using RKHunter here:
Using RKHunter on your Linode to scan for malicious software
Hello
2021-11-29 22:57:53 [47.75.127.17]:56612 [5.190.145.224] gdkj_hfh@fcjjt.com one@whatareyoudoing.xyz,
2021-11-30_23-47 run gdkj_hfh@fcjjt.com 403 mail one day fcjjt_feelzhou reject
The email account gdkj_hfh@fcjjt.com was reject to send mail via my email system now.
I have fix this issue already. Please help me to access 25 port to the other mail server. thanks.
Tom
Hi Support Team.
before few days all client services from our server was blocked from you but after installation security Software SSH service allowed and now we are unable to access sub-Domain services which is deployed in our server kindly allow all client services on Server
IP Address Below mention.
172.105.92.167/24
Hi Support Team.
That's not us. You need to file a support ticket with your request at
https://cloud.linode.com/support/tickets
-- sw