View all products
Compute
Storage
Networking
Databases
Services
Solutions
Pricing
Library
Technical Resources
Community
Marketplace
What's New
Community Questions Help needed troubleshooting and restoring my Linode Service
Log in to Ask a Question

Help needed troubleshooting and restoring my Linode Service

general

I am in need of professional help in restoring my service with Linode. Very recently, I received aTOS Violation - Outbound DoS violation and had the site powered off. I will gladly pay someone with appropriate experience to assist in restoring my service. If you can fix these issues, please contact me via email at james@secureroofs.com and provide an estimate regarding time and money to fix issues and restore service. Thanks in advance!

Support Tickets from Linode:

We have detected an outbound denial of service attack originating from your Linode. It appears that a process internal to your Linode is sending large amounts of malicious traffic towards other servers. We ask that you investigate this matter as soon as possible to determine why this activity is originating from your Linode.

If you were not aware that activity of this nature was originating from your Linode, it is likely that your Linode has been compromised, and you'll want to take appropriate action.

Follow Up.

Thank you for calling Linode today. If you are unable to determine the source of these attacks, your Linode has most likely been compromised. If this is the case, we would not recommend booting into the compromised disk images. You should back up your data and delete the compromised disk images as soon as possible. For instructions on how to do this with the least amount of downtime possible, you can refer to the following guide:

http://library.linode.com/troubleshooti … e-recovery">http://library.linode.com/troubleshooting/compromise-recovery

2 Replies

What OS are you running? Debian/Ubuntu/CentOS? If you can still reach the linode, you should be able to see whatever is causing the traffic through iftop (and if you're generting a lot of CPU, through htop / ps auxf as well)

If you want a quick fix I wouldn't mind having a look on your Linode. Stopping/removing the script that causes the DoS is normally not a huge issue, they're pretty noisy. It'll be more time to fix the actual issue that they used to compromise the system. It might be something small like a vulnerability in a website you run, but if you're unlucky and they got root access you'll have to rebuild your Linode.

Either way, if the underlying issue isn't fixed it can come back. If it came in through your website it can be somewhat mitigated with things like open_basedir and disabled PHP functions, but that does not stop them from messing with your website and databases, only that they can't do anything outside of your site.

Are you running a CMS or something custom-made? Wordpress/Joomla/Drupal, etc?

Could you also post screenshots of your CPU/Network graph in the Linode manager? That should help to determine the time when the DoS started.

The OS is Ubuntu. Site is built on Ruby Rails, CMS is Active Admin. The CPU/Network graph is blank as the site has been powered off now for a few days. Please feel free to email me directly with anymore questions. james@secureroofs.com

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct