Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander2020-01-22 00:08:19
ubuntu
Alexander, 2020-01-22 00:08:19

What can generate outbound traffic on a VPS under Ubuntu so powerfully?

Cases of container blocking by hosting for "suspicious outgoing traffic" have become more frequent. They report that it happens up to 42Gbps, although I don’t quite understand how this is possible with a 100mbps channel. This happens on a working machine running Ubuntu with LEMP; earlier once every six months, and now the second time in a month. After blocking, they provide me with information, but I can’t figure out what to do with it, because all the IP addresses are familiar and understandable to me, I can’t suspect them. And the processes are the usual pool of processes on the server, as it seemed to me (I don’t delve into system administration). Tell me, how can I calculate what generates outgoing traffic in this way?

Support in every possible way hints at the little guy, and only throws links to simple ruthunters. Well, I ran through the server, didn’t find anything, changed the root password just in case, set fail2ban .. I don’t know, I just don’t understand which way to dig.

Those. info when blocking
TX pps - 7142524.46666667: Container 42611615 is stopped.
====================vzps auxfS -E 42611615====================
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
0 60373 0.0 0.0 0 0 ? S Jan12 0:00 [kthreadd/426116]
0 60374 0.0 0.0 0 0 ? S Jan12 0:00 \_ [khelper/4261161]
0 60375 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60376 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60377 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60378 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60379 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60380 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60381 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60382 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60383 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60384 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60385 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60386 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60387 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60388 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60389 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60390 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60391 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60392 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60393 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60394 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60395 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60396 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60397 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60398 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60399 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60400 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60401 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60402 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60403 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60404 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60405 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60406 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60407 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60408 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60409 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60410 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60411 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60412 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60413 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60414 0.0 0.0 0 0 ? S Jan12 0:00 \_ [rpciod/42611615]
0 60415 0.0 0.0 0 0 ? S Jan12 0:00 \_ [nfsiod/42611615]
0 60370 22.5 0.0 188992 2824 ? Ss Jan12 2839:10 init -z
0 60656 0.0 0.0 80284 34496 ? Ss Jan12 2:08 \_ /lib/systemd/systemd-journald
0 60660 0.0 0.0 41688 572 ? Ss Jan12 0:00 \_ /lib/systemd/systemd-udevd
0 60865 0.0 0.0 20040 712 ? Ss Jan12 0:00 \_ /lib/systemd/systemd-logind
0 60866 0.6 0.0 30172 512 ? Ss Jan12 80:56 \_ /usr/sbin/cron -f
104 60871 0.0 0.0 262476 1964 ? Ssl Jan12 0:46 \_ /usr/sbin/rsyslogd -n
108 60882 0.0 0.0 42832 844 ? Ss Jan12 0:00 \_ /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
0 60995 0.1 0.0 65456 944 ? Ss Jan12 14:11 \_ /usr/sbin/sshd -D
0 60998 48.3 0.0 459532 15960 ? Ss Jan12 6093:11 \_ /usr/sbin/apache2 -k start
33 597427 9.7 0.0 552864 46568 ? S 11:14 1:11 | \_ /usr/sbin/apache2 -k start
33 620541 8.9 0.0 552860 42828 ? R 11:15 1:00 | \_ /usr/sbin/apache2 -k start
33 658785 9.6 0.0 552100 41964 ? S 11:20 0:35 | \_ /usr/sbin/apache2 -k start
33 660615 10.5 0.0 548912 40180 ? S 11:21 0:36 | \_ /usr/sbin/apache2 -k start
33 664636 9.4 0.0 470400 34704 ? S 11:22 0:25 | \_ /usr/sbin/apache2 -k start
33 667003 12.6 0.0 475280 41520 ? S 11:23 0:29 | \_ /usr/sbin/apache2 -k start
33 667301 7.2 0.0 553100 42764 ? R 11:23 0:16 | \_ /usr/sbin/apache2 -k start
33 668225 7.8 0.0 473580 39080 ? S 11:23 0:15 | \_ /usr/sbin/apache2 -k start
33 695808 10.3 0.0 470520 33504 ? S 11:26 0:06 | \_ /usr/sbin/apache2 -k start
33 698178 7.2 0.0 469652 31128 ? S 11:26 0:01 | \_ /usr/sbin/apache2 -k start
0 61039 0.0 0.0 177456 8136 ? Ssl Jan12 0:00 \_ /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
0 61045 0.0 0.0 12780 148 tty2 Ss+ Jan12 0:00 \_ /sbin/agetty --noclear tty2 linux
0 61047 0.0 0.0 16912 144 tty1 Ss+ Jan12 0:00 \_ /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
33 61083 0.0 0.0 19632 308 ? Ss Jan12 0:11 \_ /usr/bin/htcacheclean -d 120 -p /var/cache/apache2/mod_cache_disk -l 300M -n
33 637072 1.7 0.0 252780 26892 ? Sl Jan12 218:50 \_ amplify-agent
0 409075 3.7 0.0 338944 56572 ? Sl Jan12 463:35 \_ /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
0 409519 0.0 0.0 123368 1960 ? S Jan15 0:00 \_ nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
33 409521 0.0 0.0 124904 4800 ? S Jan15 7:10 | \_ nginx: worker process
33 409522 0.0 0.0 124548 4420 ? S Jan15 6:50 | \_ nginx: worker process
33 409523 0.0 0.0 124552 4548 ? S Jan15 6:50 | \_ nginx: worker process
33 409524 0.0 0.0 124612 4488 ? S Jan15 7:24 | \_ nginx: worker process
107 10800 18.8 2.5 9915712 3373896 ? Ssl 07:34 43:50 \_ /usr/sbin/mysqld

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
T
tester12, 2020-01-22
@tester12

First, check your backups. If they are not there, backup everything.
Then close all unnecessary ports in iptables.
Next, find out from technical support which IPs and ports the traffic goes to. Nothing is clear from "technical info when blocking". What kind of 42 Gbit is also not clear.
Well, prepare a new "obviously clean" server, configure everything according to Feng Shui, transfer backups there. If this is not a technical support error, then there is malware on the server. the server is compromised and must be stopped.

Similar questions
K
khataev2014-08-03 22:45:16
What is missing to display an image as the background of an html page? 4Reply
V
Vitaly2017-06-16 16:48:53
Moving an element in pure javascript? 3Reply
R
Reshat2014-08-11 19:40:23
Why can't you write to a file even with 777 permissions? 3Reply
R
Romi2022-01-08 11:20:19
Ubuntu Desktop 20.04 has become wildly slow - how to find a process that is eating resources? 1Reply
I
iamdivine2018-11-07 14:24:43
View site in cron? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question