Process blocking CentOS and flooding lan

Issues related to applications and software problems and general support
carletto
Posts: 10
Joined: 2019/11/14 07:44:10

Process blocking CentOS and flooding lan

Post by carletto » 2020/01/10 09:08:32

Hi,

i have a small home server with centos 8. Since 3/4 days is flooding the lan and i can`t surf at all with any device attached on this network.
After a long search i found that a process is blocking everything. (or better i think a process is blocking everything).

This is a screenshot from netstat -tup:
Netstat -tup
Netstat -tup
netstat.jpg (41.01 KiB) Viewed 1075 times
The only strange one is this 687.

This is ps -p 687:
ps -p 687
ps -p 687
ps.jpg (16.34 KiB) Viewed 1075 times
In "top" i can see that this process is always using CPU between 30 and 40%. If i kill this process it will be immediately up again with another PID and another strange name.

Folder in ls -l /proc/687/cwd is: /root.

I have no other idea what i should to do now :( :( :(
I´m really getting crazy.

Thanks in advance for any help!

PS: i´m also a bit desperate :(

stevemowbray
Posts: 504
Joined: 2012/06/26 14:20:47

Re: Process blocking CentOS and flooding lan

Post by stevemowbray » 2020/01/10 09:44:25

It looks like your machine has been broken into. At this point you can't trust anything on it, you need to back up any data and reinstall from scratch.

When you reinstall make sure you use new strong passwords and do not enable any services you don't need, and make sure it is up to date with all package updates. When putting back data you'll need to review it to make sure it's what you think it is (e.g. if you had a web server running that may have been how they got in, so you shouldn't just blindly put back any configuration or data files.)

carletto
Posts: 10
Joined: 2019/11/14 07:44:10

Re: Process blocking CentOS and flooding lan

Post by carletto » 2020/01/10 10:56:18

Thanks for your answer and your tips!
It was basically a nextcloud server. After this problem I think i will remove everything and forget my project of an Home Server.

BShT
Posts: 178
Joined: 2019/10/09 12:31:40

Re: Process blocking CentOS and flooding lan

Post by BShT » 2020/01/10 12:48:41

don´t forget your project, find out how your server was broken, what is this software and who broke your server

carletto
Posts: 10
Joined: 2019/11/14 07:44:10

Re: Process blocking CentOS and flooding lan

Post by carletto » 2020/01/10 13:20:15

BShT wrote:
2020/01/10 12:48:41
don´t forget your project, find out how your server was broken, what is this software and who broke your server
It would be my dream, but i have no experience about that and i have no idea from where i can start :(

BShT
Posts: 178
Joined: 2019/10/09 12:31:40

Re: Process blocking CentOS and flooding lan

Post by BShT » 2020/01/10 16:04:26

start looking at the alien application, is it a script? read the script, it is a binary? look at MD5 and find if it is known (google)

try to find what it was doing and how people inject this

look at your firewall, at your apache logs according to timestamp of the malware

look at /var/log/security and see if someone got inside your server

find out if someone created an user in your server

it is an opportunity...

User avatar
KernelOops
Posts: 251
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Process blocking CentOS and flooding lan

Post by KernelOops » 2020/01/10 17:23:57

Maybe he did not listen when NextCloud announced an active exploit in November, its called NextCry.

There are some alternative exploits going around that instead of encrypting files, they execute a crypto miner.

nothing of interest really, just format and re-install, and next time pay attention to updates.
--
I love my computer - all my friends live there.
--

carletto
Posts: 10
Joined: 2019/11/14 07:44:10

Re: Process blocking CentOS and flooding lan

Post by carletto » 2020/01/17 07:28:56

Hi!
BShT wrote:
2020/01/10 16:04:26

look at /var/log/security and see if someone got inside your server

From security i saw they did a BruteForce to the SSH. They tried one month before they got the password (i´m assuming that because i have no more security log from the 6th January and on these days my lan began to have problem).

I checked the bash_history file but everything is ok and there isn´t any strange command. Could be that they deleted everything?
find out if someone created an user in your server
file /etc/passwd looks ok.
start looking at the alien application, is it a script? read the script, it is a binary? look at MD5 and find if it is known (google)
I have no idea how i can do it :( i played a bit with /process but i only found that the process folder is /root and the command of the process is netstat -aa.

That´s all!
Thank you for your help.

PS: now i learned i will disable root login from ssh and i will connect to ssh only with OpenVPN (never again forward to port 22).

User avatar
TrevorH
Forum Moderator
Posts: 28523
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Process blocking CentOS and flooding lan

Post by TrevorH » 2020/01/17 08:00:04

i only found that the process folder is /root and the command of the process is netstat -aa
If your attackers had root access then you need to stop trying to "fix" this and do it the right way. In cases of root compromise the only safe solution is to backup your data and reinstall the system from scratch. You have no idea how many ways they have backdoored your server to allow them continued access to it.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

carletto
Posts: 10
Joined: 2019/11/14 07:44:10

Re: Process blocking CentOS and flooding lan

Post by carletto » 2020/01/17 09:03:16

Understood! I will format!

Thank you :) :)

Post Reply

Return to “CentOS 8 - General Support”