Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Sergey Degtyar2020-01-13 17:49:24
linux
Sergey Degtyar, 2020-01-13 17:49:24

Need to find the reason for brute force passwords from my server?

I received a letter from the provider that brute force is going on from my server to other people's subnets. I can't find the reason. There is nothing suspicious in the processes. Autoruns and crontab checked. I checked all the projects on the server, everything seems to be ok. I checked the server with rkhunter. Monitored the network interface via iptraf
The server is monitored via zabbix. Zabbik shows the load load availability up to 2. As soon as I log in via ssh, the load drops. load availability get closer to 0

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
T
tester12, 2020-01-13
@tester12

We need to find the cause of brute force
You don't have to look for anything.
We urgently need to back up the current server (if suddenly there are no backups), raise a new server and set everything up again.

Report
R
Ronald McDonald, 2020-01-13
@Zoominger

Write the output topto a file. Like this, for example:
top -b -n 5000 > top-5000terations.txt

Report
K
Karpion, 2020-01-14
@Karpion

What protocol/port is used for brute force (provider should say)? You can try blocking this port for outgoing connections.
Perhaps the malware is so smart that when monitoring is turned on, it extinguishes its activity.

Report
N
none7, 2020-01-14
@none7

If the worm is so cunning and hides during user activity, then make a shell without a tty on an arbitrary port or even backconnect. Plain sh, the worm should not be suspected. top won't work of course, but ps aux is enough.
You can also add a firewall rule to log all new outgoing connections. Monitor the logs with a script that will recognize the UID from the netstat PID, and then already, the name of the program and the line of arguments, and at least the entire process tree, if necessary. But here the main problem is not in the worm, but in how it got to you. And how many backup copies of myself spawned. Without a good knowledge of the system, only reinstallation will help, and that's not a fact, given the hole.
PS The rights to files, chroot and docker were invented for a reason. Insulation makes it easier to solve such problems.

Similar questions
J
JackShcherbakov2017-12-07 00:47:10
The PHP encoding in openserver has failed, what should I do? 3Reply
P
Pavel Emelyanov2018-01-16 09:11:39
Why does the extensions_additional.conf file change after entering the web interface? 3Reply
Y
yuki2021-05-30 13:15:44
Location of manjaro kde plasma shortcuts not saved? 0Reply
B
bozilly2015-08-09 21:36:56
How to run OS X on a virtual machine? 4Reply
M
Mikhail2017-07-17 07:15:10
Ready assembly Web server on Linux (without garbage)? 10Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question