Hello,We have received a report of brute force attempts originating from y

1. Hello,
2.  
3.  
4. We have received a report of brute force attempts originating from your Linode. It appears that a process internal to your Linode is attacking other servers and attempting to guess their credentials. We ask that you investigate this matter as soon as you are able. Once you have completed your investigation, kindly reply to this ticket with the answers to the following questions:
5.  
6.  
7. 1) What was the source of the issue?
8. 2) What steps did you take to resolve this issue?
9. 3) What steps did you take to prevent this from occurring again?
10.  
11.  
12. Because of the serious nature of brute force attacks, we have applied network restrictions to your Linode to mitigate this issue. While network restrictions are in place, you can access your Linode using our out-of-band Lish console. For more information about using Lish, please take a look at the following guide:
13.  
14.  
15. https://www.linode.com/docs/networking/using-the-linode-shell-lish/
16.  
17.  
18.  
19. I think my Linode is compromised. How can I tell?
20.  
21. If you believe that your Linode has been compromised, you can start troubleshooting by auditing the following log files and writable directories:
22.  
23.  
24.  
25. /var/log/auth.log : Check this log file for signs of unauthorized access and brute-force attempts. Use the ‘last’ command to cross reference recent account logins with this file.
26.  
27. /tmp : This directory is often used by malicious parties to store files
28.  
29. Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
30.  
31. ps aux : Use this command to audit running processes for foreign processes
32.  
33.  
34.  
35. My Linode is compromised. What do I do now?
36.  
37. If you discover that your Linode is compromised, we strongly suggest that you redeploy. It is often very difficult to determine the full scope of a vulnerable system. We have a guide that can assist you with redeploying your server that you can find linked below:
38.  
39.  
40. https://www.linode.com/docs/security/recovering-from-a-system-compromise/
41.  
42.  
43. During this process, please continue to keep us updated, and let us know if you have any questions.
44.  
45.  
46. Kind regards,
47. Andrew O.
48.  
49.  
50. Linode Support Team
51.  
52. REPORT:
53.  
54.  
55. Hi, We have detected a network attack from an IP ( 178.79.161.246 ) from your network, a computer connected to it is probably infected and being part of a botnet. Please check it and fix it up as soon as possible. Thank you.
56.  
57.  
58. The IP 178.79.161.246 has just been banned by Fail2Ban after
59. 2 attempts against apache-attack.
60.  
61.  
62. Domain: eliminatusvarices.com (195.78.228.250)
63.  
64.  
65. Here are more information about 178.79.161.246:
66. Lines containing IP:178.79.161.246 in /furanet/sites/*/web/htdocs/logs/access
67.  
68.  
69. /furanet/sites/eliminatusvarices.com/web/htdocs/logs/access:178.79.161.246 - - [22/May/2019:11:08:31 +0200] "GET /wp-login.php HTTP/1.1" 200 2369 "-" "-" "Mozilla/5.0 (X11; Ubuntu; Linux x8664; rv:62.0) Gecko/20100101 Firefox/62.0"
70. /furanet/sites/eliminatusvarices.com/web/htdocs/logs/access:178.79.161.246 - - [22/May/2019:11:08:31 +0200] "POST /wp-login.php HTTP/1.1" 200 3242 "-" "-" "Mozilla/5.0 (X11; Ubuntu; Linux x8664; rv:62.0) Gecko/20100101 Firefox/62.0"
71. /furanet/sites/eliminatusvarices.com/web/htdocs/logs/access:178.79.161.246 - - [22/May/2019:11:08:31 +0200] "GET /wp-login.php HTTP/1.1" 200 2369 "-" "-" "Mozilla/5.0 (X11; Ubuntu; Linux x8664; rv:62.0) Gecko/20100101 Firefox/62.0"
72. /furanet/sites/eliminatusvarices.com/web/htdocs/logs/access:178.79.161.246 - - [22/May/2019:11:08:31 +0200] "POST /wp-login.php HTTP/1.1" 200 3119 "-" "-" "Mozilla/5.0 (X11; Ubuntu; Linux x8664; rv:62.0) Gecko/20100101 Firefox/62.0"
73.  
74.  
75. Date: Wed May 22 11:08:33 CEST 2019