[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 566
  • Last Modified:

VPS Blocked due to brute force attacks

'We have received reports of abuse coming from your Spring Server. Your server is being used in a brute force attack as these logs we received show:'

I have manage to get into the server and the advise was as below:

Even though the server is blocked, you can still log into it via the
spring console. Once in there check all the processes that you are
running and kill the process that is performing these brute force
attacks. You should also enable the firewall and block your server from
performing these attacks on port 22. You'll probably want to check for
any accounts on your server that you do not recognize and change your
root password in case it has been compromised. Let me know when you have
taken care of this and I'll unblock the server.

How do I check what process is running and kill the process that is performing these brute force attacks.

Thank you.

0
rroslan
Asked:
rroslan
  • 3
1 Solution
 
torimarCommented:
In a terminal, type:
sudo top

This will give you a real time impression of what is going on on your server, which processes are active and running (the ones at the top) and which user accounts they are running under. Take note of the most active commands, their users and PIDs.
You leave 'top' by typing 'q'.

To get to know which exact process is using port 22, type:
sudo fuser -v 22/tcp

Make note of the process ID (PID) and kill any unwanted process by typing:
kill <PID>

Then proceed to secure your server following the instructions in the message you got.
0
 
torimarCommented:
Thinking about it, I find the info your provider gave you a bit scarce. So was mine.

Here's an addendum:

If "sudo fuser -v 22/tcp" should not yield a result, then this means that the malicious process is not running on port 22, but attacking remote servers on port 22. Type:
sudo netstat -plan --inet
and you will see, under 'Foreign Address', the IP:Port of remote servers your system is connected to. At the end of the line (or next line) you will find PID and process name. Write them down.

Once you have the PID, do NOT kill the process immediately, but run:
sudo ps -aef | grep <PID>
This will give you some additional information about the process, like the physical address in the filesystem where the programme resides that creates it etc. Write this info down as well.

Then kill the process (use: kill -9 <PID> to speed it up if necessary).

Now look at the process name you wrote down and type:
ls -l /etc/*.d/*<processname>

If this gives you a hit in /etc/init.d/, navigate there and delete the file.
If additionally it gives you several hits in /etc/rc0 to /etc/rc6 folders, run:
sudo update-rc.d -f <processname> remove

To make sure the attacker hasn't left a scheduled task to restart his software, run:
sudo crontab -e
select 3 for Nano editor and check all entries for the suspicious process name. Delete it if found, but be careful to leave all other entries intact.

Now browse to the path in your filesystem where the malicious programme was installed (remember, you wrote this down). Delete the malicious executable. You will see executable marke by an * when typing:
sudo ls -alF
Write down the complete path of the folder (like /var/opt/<foldername>) and search the internet for it being known and harmless. If you don't find it mentioned in an unsuspicious context, you will be safe to delete the whole folder.

Finally, make sure your system is up-to-date in order to avoid being hacked again via the same exploit.
Type:
sudo apt-get update
sudo apt-get upgrade


Last but not least you may want to
- contact your provider with the details of the hack attack which you wrote down
- check your provider's pages for info on how to secure your server and how to deal with security logfiles
- refer to this Ubuntu Server documentation for further study:
http://linux.about.com/od/ubusrv_doc/Ubuntu_Linux_Server_Documentation.htm

your /etc/init.d/
0
 
torimarCommented:
/edit:
Please ignore that last line.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now