Last week, I got a email from Linode, which says my server is attacking other servers.
We have received a report of brute force attempts originating from your Linode. It appears that a process internal to your Linode is attacking other servers and attempting to guess their credentials.
Confused, I started to investigate the issue with accompanied guide.
If you believe that your Linode has been compromised, you can start troubleshooting by auditing the following log files and writable directories:
- /var/log/auth.log : Check this log file for signs of unauthorized access and brute-force attempts. Use the ‘last’ command to cross reference recent account logins with this file.
- /tmp : This directory is often used by malicious parties to store files
- Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
- ps aux : Use this command to audit running processes for foreign processes
auth.log, I found a lof of failed logins(more than 17,000 times) from different IPs and different VPS provider that day. Someone was trying to hack my server! Just after I enabled password login several days ago. So I go to
/etc/ssh/sshd_config to disable
PasswordAuthentication so hackers can't do force attempts again. But I still didn't think it's compromised, anyway, I was using a strong password generated by 1Password, not any weak password, how could it be?
Then I spotted several suspicous processes such as
/bin/bash 50 .go. It started again after a while if killed. What's the file of
.go? Digging for several hours to find the source, I finnaly found the hacker's code. It's in
/tmp directory, disguised as created by my Ghost blogging system. And it's mining Monero. Download the code here if you're interested.
By searching the file name of
/tmp/.ssh/.rsync/c/lib/64/tsm in the hacker's code, I found sevearal related hacks: 1, 2. Relieved, I start to do things to secure my server. It's good to learn the importance of security when it's not too late.