0
State      Recv-Q Send-Q        Local Address:Port            Peer Address:Port   
FIN-WAIT-1 0      3640        my.public.ip.xx:https          xxx.xx.xxx.xx:56206   
SYN-SENT   0      1           my.public.ip.xx:55380          suspicious.ip1:9001     users:(("zpanel-cgi",4274,3))
FIN-WAIT-1 0      178         my.public.ip.xx:https          xxx.xx.xxx.xx6:56204   
FIN-WAIT-1 0      3640        my.public.ip.xx:https          xxx.xx.xxx.xx:3275    
ESTAB      0      304         my.public.ip.xx:ssh            my.local.ip.x:32806    users:(("sshd",13981,3))
FIN-WAIT-1 0      178         my.public.ip.xx:https          xxx.xx.xxx.xx:3263    
SYN-SENT   0      1           my.public.ip.xx:42411          suspicious.ip2:whois    users:(("whois",14681,175))
FIN-WAIT-1 0      70          my.public.ip.xx:https          xxx.xx.xxx.xx:56198   
ESTAB      0      0           my.public.ip.xx:http           xxx.xx.xxx.xx:7497     users:(("apache2",14594,88))

Hi, So my server was compromised a while ago and i am trying to rectify the issues.

My server is running Ubuntu 12.04. As you can see from the log above (resulted from command ss -tp), there are two connections which are aliens (both username cannot be found in the file /etc/passwd

Currently I am using ufw to block all weird incomming/outgoing connections.
My question is how can I fully clear these connections and their parent process/users ?

Nathan Do
  • 113
  • 5

1 Answers1

4

Nuke it from orbit. It's the only way to be sure.

Seriously, if you're certain your server has been compromised, the only certain way to clean it up is to wipe it clean and rebuild, this time making sure that whatever vulnerability was used isn't present.

Sure, you could spend time playing whack-a-mole, but how can you be sure that you've removed a file, when the attacker could have patched rm and ls to lie to you? Replaced ps and top with versions that won't list the attacker's bot? Replaced ufw to let their connections through without telling you?

Mark
  • 34,513
  • 9
  • 86
  • 135
  • 1
    And if you need to ask to find that netstat tells you which processes have open connections it's unlikely you can deal with adversaries on your own system... You need to have some experience with system administration to do forensics. Not to mention you don't even know if netstat would tell you the truth or even if it's your own kernel you're running... As @Mark says rebuilding is definitely the way to go! – Steve Dodier-Lazaro Oct 04 '14 at 12:06