New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Press C in top and if you are lucky it will show you the path of the command. Also check the bash history of all users and make sure someone didn't compromise your machine and run that.
check this out:
gimmemoneyicandoit.com/virus/crontab_and_scripts.txt
look into /tmp just in case
also, check your bash history
It is a virus??
guest what??? maybe right. it is a virus.. I also found a process named
b26
I google about it and found http://superuser.com/questions/695876/is-root-b26-a-ddos-process
I shutdown my server and planned to make clean install..
according to the forum, it is a ddosing process.. no wonder my vps used about 700GB in less 20 days.. I am hosting a static website. hard to reach even 3GB/month bandwidth..
Your top screenshot shows that process has only taken up 5 seconds of cpu time. Does the process persist or is it re-spawned often? Does the PID change?
According to the first quote, I'd say that the attackers run that process (
b26h
) on and off; since the server has pretty much been turned into a botnet, the b26/b26h process only starts DDoSing when needed and only for a certain amount of time. Hence the short usage time.here another snapshot
its id changed..
I boot up my server and found
b26
still running. It wil run for a few milisecond and will gone.. andb26h
also running again..EDIT: this is
its id also are changing
b26
snapshotDid you just run clamav now? Or do you have it to always monitor?
It is always run because I use this server for website and mail
my root accss has been compromised?
I wonder why it didn't pick it up, but it looks like it's definitely used for DDoS attacks
http://superuser.com/questions/695876/is-root-b26-a-ddos-process
I would shut it off or block outbound data (if you can) for now until you sort it
b26
andb26h
are located in /root/I deleted them..
yeah.. 700gb bandwidth used.. I never use bandwidth that high
Just wipe the VPS and you should use keys and disable password based logins..
http://www.howtoforge.com/ssh_key_based_logins_putty
you should also check your local computer and scan for key logger viruses like ZEUS.. Malwarebytes is pretty good.
Yes, it most likely has been compromised. If you're finding DDoS scripts in your /root/ folder, then...
What panel did you use?
I'm sure some not updated panel, too lazy for a simple apt-get upgrade/pacman -Syu/yum update or whatever
Any list in the # crontab -e, or something weird at /etc/init.d, or maybe something run by supervisord
And maybe some weird last login IP?
Im using virtualmin
who you meant for?? I installed virtualmin about a week before on a fresh server.. and I always keep my servers uptodate
only 3 lines of webmin related
I checked /var/log/auth.log and found this.
too many of them.. then it stop.. I scroll for a few pages and found this
different ip.. but still from CHINA.
There also lot of same log from ip 42.62.17.250
I scroll for a few pages more and found this
bruteforce????
I deleted
b26
andb26h
from my server and changed my root password alphabet+numeric+symbols.but when I checked again today, both fle exists and the process are up again.. damn it..
Check $HOME/.ssh/ and /etc/passwd for unknown authorized_keys and user.
Install fail2ban or other firewall. Hope it helps.
You should take the advice of others here and wipe + reinstall. Your VPS was compromised and there's no telling what they've done to it, including adding backdoors to regain access.
changing default ssh port is a must. At least it will reduce brute force attack.
Im reinstalling it now.. Im not to afraid because there are no sensitive data in this server.. I just use it to host a website with only static pages.
thanks for your concern.
Now i realized how important tighten server securty
Maybe this can be of use to you: http://blog.bokhorst.biz/6507/computers-and-internet/how-to-setup-a-vps-as-web-server/#setup_security
At the very minimum, you should change the SSH port and create a new user then disable root login.
Setup fail2ban as well.
Or change:
To:
In the ssh_config and then setup SSH keys for root.
@psycholyzern what steps do you take on your VPS after a fresh install?
I got some vpses.. the other vps, I just change ssh port... but for this vps, I've done nothing..
Its my fault didnt take any precationary steps.. but, it is because I didnt hosted any sensitive files. just hobby.