I've noticed some suspicious activity on my Linode, what do I do?

Linode Staff

I've noticed my Linode recently had a sharp increase in outbound traffic and I am not certain why. What can I do to investigate this?

4 Replies

You may have been the victim of a compromise on your system. This occasionally happens, and there are some steps you can take to investigate this and find the cause. If you believe that your Linode has been compromised, you can start troubleshooting by auditing the following log files and writable directories:

  • /var/log/auth.log : Check this log file for signs of unauthorized access and brute-force attempts. Use the ‘last’ command to cross reference recent account logins with this file.
  • /tmp : This directory is often used by malicious parties to store files
  • Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
  • ps aux : Use this command to audit running processes for foreign processes

If those do not help you, I do have some more quick tips and links for next steps you could take:

  1. Look for recently modified files that look suspicious

  2. Look for suspicious processes that are running

  3. Run Linux antivirus software. Here are some examples:

If you do discover your Linode has been compromised, I would recommend taking a look at our Recovering from a System Compromise Guide. I would also recommend taking a look at the following guides to help prevent future compromises to your Linode:

I hope this helps point you in the right direction. If you have any other questions, comments, or concerns, please feel free to respond here on the Community Site and someone may be able to help direct you.

On Centos here is no file /var/log/auth.log:

ls -l /var/log

total 456
drwxr-xr-x. 2 root root 4096 Sep 25 14:54 anaconda
drwx------. 2 root root 4096 Dec 28 09:28 audit
-rw-------. 1 root root 9959 Dec 28 09:28 boot.log
-rw-rw----. 1 root utmp 8448 Dec 28 09:54 btmp
-rw-------. 1 root root 971 Dec 28 10:01 cron
-rw-r--r--. 1 root root 173291 Dec 28 10:00 dnf.librepo.log
-rw-r--r--. 1 root root 37510 Dec 28 10:00 dnf.log
-rw-r--r--. 1 root root 8336 Dec 28 10:00 dnf.rpm.log
drwxr-x---. 2 exim exim 4096 Nov 19 13:15 exim
-rw-r-----. 1 root root 0 Dec 28 09:28 firewalld
-rw-r--r--. 1 root root 9649 Dec 28 10:00 hawkey.log
-rw-rw-r--. 1 root utmp 291708 Dec 28 10:01 lastlog
-rw-------. 1 root root 0 Sep 25 14:49 maillog
-rw-------. 1 root root 105820 Dec 28 10:01 messages
drwx------. 2 root root 4096 Sep 25 14:54 private
drwxr-xr-x. 2 root root 4096 Sep 25 14:54 qemu-ga
-rw-r--r--. 1 root root 1040 Jul 1 15:29 README
drwxr-xr-x. 2 root root 4096 Dec 28 09:28 sa
-rw-------. 1 root root 20283 Dec 28 10:01 secure
-rw-------. 1 root root 0 Sep 25 14:49 spooler
drwxr-x---. 2 sssd sssd 4096 Dec 28 09:28 sssd
drwxr-xr-x. 2 root root 4096 Dec 28 09:28 tuned
-rw-rw-r--. 1 root utmp 4224 Dec 28 10:01 wtmp

Linode Staff

Hello @dmitri14! The correct log on CentOS will be /var/log/secure. Hope this helps!

  1. Run Linux antivirus software. Here are some >examples:

ClamAV
Maldet
RootkitHunter
Chkrootkit

We recently made an update to rescue mode that reduces some effort when it comes to using ClamAV. You no longer need to download it, but can run a preloaded script. The below is an excerpt from our updated guide on scanning for system vulnerabilities with ClamAV:


From the Finnix rescue mode, run the automated script using the following command:

linode_clam

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct