State Recv-Q Send-Q Local Address:Port Peer Address:Port
FIN-WAIT-1 0 3640 my.public.ip.xx:https xxx.xx.xxx.xx:56206
SYN-SENT 0 1 my.public.ip.xx:55380 suspicious.ip1:9001 users:(("zpanel-cgi",4274,3))
FIN-WAIT-1 0 178 my.public.ip.xx:https xxx.xx.xxx.xx6:56204
FIN-WAIT-1 0 3640 my.public.ip.xx:https xxx.xx.xxx.xx:3275
ESTAB 0 304 my.public.ip.xx:ssh my.local.ip.x:32806 users:(("sshd",13981,3))
FIN-WAIT-1 0 178 my.public.ip.xx:https xxx.xx.xxx.xx:3263
SYN-SENT 0 1 my.public.ip.xx:42411 suspicious.ip2:whois users:(("whois",14681,175))
FIN-WAIT-1 0 70 my.public.ip.xx:https xxx.xx.xxx.xx:56198
ESTAB 0 0 my.public.ip.xx:http xxx.xx.xxx.xx:7497 users:(("apache2",14594,88))
Hi, So my server was compromised a while ago and i am trying to rectify the issues.
My server is running Ubuntu 12.04. As you can see from the log above (resulted from command ss -tp), there are two connections which are aliens (both username cannot be found in the file /etc/passwd
Currently I am using ufw to block all weird incomming/outgoing connections.
My question is how can I fully clear these connections and their parent process/users ?