ToS Violation - Malicious Activity
Why does my Linode keep attacking other people's port 123? I am currently using official mirrors, and I only use the apt repository to download and use htop, ipset, and HAProxy software on it. Can anyone provide help or instructions?
2 Replies
Port 123 is the Network Time Protocol (ntp) port. You most likely have a 'bot and/or virus infection. Do you have a firewall? If not you should.
Just downloading stuff from "approved" sources is no guarantee against such nastiness. You have to be proactive and prevent it.
You should really do these scans while in rescue mode…so that the 'bot or whatever can't phone home and thwart it.
See: https://www.linode.com/docs/guides/rescue-and-rebuild/
Once in rescue mode, you can run the command linode_clam
For rkhunter, see: https://www.linode.com/community/questions/21229/using-rkhunter-on-your-linode-to-scan-for-malicious-software
-- sw
Hey there,
Great question! If you are receiving a Malicious Activity Violation then it is likely that you are a victim of compromise on your system. Malicious Activity Violations stem from various types of abuse that may be coming from your Linode. Some of these instances include unwanted port scanning, injection attacks, and outbound Dos attacks.
The following Community Site post is a great resource that will provide you with troubleshooting steps to help you find suspicious activity on your Linode. In this post, you will find steps to investigate and find any intrusions on your system. As well as some remedies to bring the issue to a resolution.
If anyone else here has any other suggestions, I'd encourage you to share them below. Thanks in advance!