VPS Blocked due to brute force attacks

Posted on 2008-11-12
Last Modified: 2013-11-15
'We have received reports of abuse coming from your Spring Server. Your server is being used in a brute force attack as these logs we received show:'

I have manage to get into the server and the advise was as below:

Even though the server is blocked, you can still log into it via the
spring console. Once in there check all the processes that you are
running and kill the process that is performing these brute force
attacks. You should also enable the firewall and block your server from
performing these attacks on port 22. You'll probably want to check for
any accounts on your server that you do not recognize and change your
root password in case it has been compromised. Let me know when you have
taken care of this and I'll unblock the server.

How do I check what process is running and kill the process that is performing these brute force attacks.

Thank you.

Question by:rroslan
    LVL 35

    Expert Comment

    In a terminal, type:
    sudo top

    This will give you a real time impression of what is going on on your server, which processes are active and running (the ones at the top) and which user accounts they are running under. Take note of the most active commands, their users and PIDs.
    You leave 'top' by typing 'q'.

    To get to know which exact process is using port 22, type:
    sudo fuser -v 22/tcp

    Make note of the process ID (PID) and kill any unwanted process by typing:
    kill <PID>

    Then proceed to secure your server following the instructions in the message you got.
    LVL 35

    Accepted Solution

    Thinking about it, I find the info your provider gave you a bit scarce. So was mine.

    Here's an addendum:

    If "sudo fuser -v 22/tcp" should not yield a result, then this means that the malicious process is not running on port 22, but attacking remote servers on port 22. Type:
    sudo netstat -plan --inet
    and you will see, under 'Foreign Address', the IP:Port of remote servers your system is connected to. At the end of the line (or next line) you will find PID and process name. Write them down.

    Once you have the PID, do NOT kill the process immediately, but run:
    sudo ps -aef | grep <PID>
    This will give you some additional information about the process, like the physical address in the filesystem where the programme resides that creates it etc. Write this info down as well.

    Then kill the process (use: kill -9 <PID> to speed it up if necessary).

    Now look at the process name you wrote down and type:
    ls -l /etc/*.d/*<processname>

    If this gives you a hit in /etc/init.d/, navigate there and delete the file.
    If additionally it gives you several hits in /etc/rc0 to /etc/rc6 folders, run:
    sudo update-rc.d -f <processname> remove

    To make sure the attacker hasn't left a scheduled task to restart his software, run:
    sudo crontab -e
    select 3 for Nano editor and check all entries for the suspicious process name. Delete it if found, but be careful to leave all other entries intact.

    Now browse to the path in your filesystem where the malicious programme was installed (remember, you wrote this down). Delete the malicious executable. You will see executable marke by an * when typing:
    sudo ls -alF
    Write down the complete path of the folder (like /var/opt/<foldername>) and search the internet for it being known and harmless. If you don't find it mentioned in an unsuspicious context, you will be safe to delete the whole folder.

    Finally, make sure your system is up-to-date in order to avoid being hacked again via the same exploit.
    sudo apt-get update
    sudo apt-get upgrade

    Last but not least you may want to
    - contact your provider with the details of the hack attack which you wrote down
    - check your provider's pages for info on how to secure your server and how to deal with security logfiles
    - refer to this Ubuntu Server documentation for further study:

    your /etc/init.d/
    LVL 35

    Expert Comment

    Please ignore that last line.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    If you use Debian 6 Squeeze and you are tired of looking at the childish graphical GDM login screen that is used by default, here's an easy way to change it. If you've already tried to change it you've probably discovered that none of the old met…
    In this article we have discussed the manual scenarios to recover data from Windows 10 through some backup and recovery tools which are offered by it.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now