VPS Blocked due to brute force attacks

'We have received reports of abuse coming from your Spring Server. Your server is being used in a brute force attack as these logs we received show:'

I have manage to get into the server and the advise was as below:

Even though the server is blocked, you can still log into it via the
spring console. Once in there check all the processes that you are
running and kill the process that is performing these brute force
attacks. You should also enable the firewall and block your server from
performing these attacks on port 22. You'll probably want to check for
any accounts on your server that you do not recognize and change your
root password in case it has been compromised. Let me know when you have
taken care of this and I'll unblock the server.

How do I check what process is running and kill the process that is performing these brute force attacks.

Thank you.

Roslan RamliAdvisorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In a terminal, type:
sudo top

This will give you a real time impression of what is going on on your server, which processes are active and running (the ones at the top) and which user accounts they are running under. Take note of the most active commands, their users and PIDs.
You leave 'top' by typing 'q'.

To get to know which exact process is using port 22, type:
sudo fuser -v 22/tcp

Make note of the process ID (PID) and kill any unwanted process by typing:
kill <PID>

Then proceed to secure your server following the instructions in the message you got.
Thinking about it, I find the info your provider gave you a bit scarce. So was mine.

Here's an addendum:

If "sudo fuser -v 22/tcp" should not yield a result, then this means that the malicious process is not running on port 22, but attacking remote servers on port 22. Type:
sudo netstat -plan --inet
and you will see, under 'Foreign Address', the IP:Port of remote servers your system is connected to. At the end of the line (or next line) you will find PID and process name. Write them down.

Once you have the PID, do NOT kill the process immediately, but run:
sudo ps -aef | grep <PID>
This will give you some additional information about the process, like the physical address in the filesystem where the programme resides that creates it etc. Write this info down as well.

Then kill the process (use: kill -9 <PID> to speed it up if necessary).

Now look at the process name you wrote down and type:
ls -l /etc/*.d/*<processname>

If this gives you a hit in /etc/init.d/, navigate there and delete the file.
If additionally it gives you several hits in /etc/rc0 to /etc/rc6 folders, run:
sudo update-rc.d -f <processname> remove

To make sure the attacker hasn't left a scheduled task to restart his software, run:
sudo crontab -e
select 3 for Nano editor and check all entries for the suspicious process name. Delete it if found, but be careful to leave all other entries intact.

Now browse to the path in your filesystem where the malicious programme was installed (remember, you wrote this down). Delete the malicious executable. You will see executable marke by an * when typing:
sudo ls -alF
Write down the complete path of the folder (like /var/opt/<foldername>) and search the internet for it being known and harmless. If you don't find it mentioned in an unsuspicious context, you will be safe to delete the whole folder.

Finally, make sure your system is up-to-date in order to avoid being hacked again via the same exploit.
sudo apt-get update
sudo apt-get upgrade

Last but not least you may want to
- contact your provider with the details of the hack attack which you wrote down
- check your provider's pages for info on how to secure your server and how to deal with security logfiles
- refer to this Ubuntu Server documentation for further study:

your /etc/init.d/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Please ignore that last line.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Distributions

From novice to tech pro — start learning today.