ToS Violation - Malicious Activity

Why does my Linode keep attacking other people's port 123? I am currently using official mirrors, and I only use the apt repository to download and use htop, ipset, and HAProxy software on it. Can anyone provide help or instructions?

2 Replies

Port 123 is the Network Time Protocol (ntp) port. You most likely have a 'bot and/or virus infection. Do you have a firewall? If not you should.

Just downloading stuff from "approved" sources is no guarantee against such nastiness. You have to be proactive and prevent it.

You should really do these scans while in rescue mode…so that the 'bot or whatever can't phone home and thwart it.


Once in rescue mode, you can run the command linode_clam

For rkhunter, see:

-- sw

Hey there,

Great question! If you are receiving a Malicious Activity Violation then it is likely that you are a victim of compromise on your system. Malicious Activity Violations stem from various types of abuse that may be coming from your Linode. Some of these instances include unwanted port scanning, injection attacks, and outbound Dos attacks.

The following Community Site post is a great resource that will provide you with troubleshooting steps to help you find suspicious activity on your Linode. In this post, you will find steps to investigate and find any intrusions on your system. As well as some remedies to bring the issue to a resolution.

If anyone else here has any other suggestions, I'd encourage you to share them below. Thanks in advance!


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct