Suspected botnet activity

I got the following message a day ago. Don't know about this any suggestion!!


We have received a report of suspected botnet activity for your Linode. This is most likely the result of a system compromise. If we have not heard from you in 72 hours, we may need to place network restrictions on your Linode to prevent further abuse.

In order to consider this resolved we will require the following from you:

Steps taken to prevent this activity from reoccurring
We're here to help provide guidance, but keep in mind that investigating this on your behalf is beyond the scope of our support, our Community Questions site can offer guidance in resolving this issue:

I've noticed some suspicious activity on my Linode, what do I do?
If you need additional assistance, you can always create your own post on our Community Questions site to get help from the Linode Community. If you determine that you are unable to resolve this issue yourself, we strongly suggest that you rebuild your Linode.

Please review the following update which will contain the original report we received. Once you’ve investigated and resolved this issue, please respond to this ticket.

Kevin T.
Linode Support

2 Replies

The first thing I would do is get a description of the suspect activity (with logs if support has them). Next, I would ask Support to describe why they think it's botnet activity.

This is pretty serious and, if true, you have some work ahead of you.

-- sw

More often than not, this kind of issue is the result of a compromise.

When we open a Terms of Service ticket for something like Suspected Botnet Activity, there will be logs included in either the initial update or a subsequent update to the ticket. We provide them both as proof that something has occurred, but more so as a way to assist you in your investigation of what's happening on your Linode that you probably aren't aware of.

In the text that you provided above, there should be a link to the following Community Questions site post:

I've noticed some suspicious activity on my Linode, what do I do?

That post provides some great first steps to take if you're unfamiliar with tracking down suspicious activity on your Linode as well as ways to harden access to your Linode.

Though, something to keep in mind is that often a hacker will create a backdoor to the server to retain access should you take steps to secure your Linode. If that is the case, the best option would be to spin up a new Linode in the same data center, transfer files over via Secure Copy Protocol (SCP) or rsync, work through securing your server, and then transfer the IP address so you don't have to update any DNS records.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct