0

I got an abuse report for AWS and they shut down one of my personal servers. I can SSH in, but no other connectivity is working right now until I can prove to them I addressed it. Full transparency, I'm minimally competent in linux.

AWS says my server is trying to sshinto other systems, so maybe I got some kind of botnet on it. Here's a sample they sent:

Lines containing failures of <IP> (max 1000)
Dec 19 18:25:07 viking sshd[2404152]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP> user=root
Dec 19 18:25:09 viking sshd[2404152]: Failed password for root from <IP> port 54806 ssh2
Dec 19 18:25:11 viking sshd[2404152]: Received disconnect from <IP> port 54806:11: Bye Bye [preauth]
Dec 19 18:25:11 viking sshd[2404152]: Disconnected from authenticating user root <IP> port 54806 [preauth]
Dec 19 18:30:56 viking sshd[2406221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP> user=root
Dec 19 18:30:59 viking sshd[2406221]: Failed password for root from <IP> port 47524 ssh2
Dec 19 18:31:01 viking sshd[2406221]: Received disconnect from <IP> port 47524:11: Bye Bye [preauth]
Dec 19 18:31:01 viking sshd[2406221]: Disconnected from authenticating user root <IP> port 47524 [preauth]

I ran sudo netstat -antp. The only two programs I couldn't immediately identify are 1699/./bin/tor and 1826/./kswapd0. I am not running tor, so that's concerning. Googling kswapd0 says it's a memory manager, so I guess thats fine? There are a lot of ports it has the status SYN_SENT on.

Any pointers on what to look for or other things to try would be greatly appreciated.

nosnevel
  • 1
  • 2
  • 3
    Given your level of understanding, nuking it from orbit is the sole responsible answer. You *can't* trust process names. Cleaning up the mess is immensely difficult, and one slipup means that you're compromised again tomorrow morning. Nuke & restore services. – vidarlo Dec 22 '22 at 20:53

0 Answers0