{"id":2083,"date":"2023-11-21T18:31:20","date_gmt":"2023-11-21T10:31:20","guid":{"rendered":"https:\/\/pjq.me\/?p=2083"},"modified":"2023-11-21T19:14:51","modified_gmt":"2023-11-21T11:14:51","slug":"my-server-is-flagged-as-hacked","status":"publish","type":"post","link":"https:\/\/pjq.me\/?p=2083","title":{"rendered":"My server is flagged as hacked"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_81 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/pjq.me\/?p=2083\/#Background\" >Background<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/pjq.me\/?p=2083\/#tcpdump_to_figure_out_the_force_ssh_attack_from_the_server\" >tcpdump to figure out the force ssh attack from the server<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/pjq.me\/?p=2083\/#Find_out_the_process\" >Find out the process<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Background\"><\/span>Background<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>8 security vendors flagged this URL as malicious<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.virustotal.com\/gui\/url\/3523cf904e82993fe621505619245f236c8cdfe8894cdcc1cb742a2348c2a1e2?nocache=1\">https:\/\/www.virustotal.com\/gui\/url\/3523cf904e82993fe621505619245f236c8cdfe8894cdcc1cb742a2348c2a1e2?nocache=1<\/a><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-1024x585.png\" alt=\"\" class=\"wp-image-2084\" style=\"width:560px;height:auto\" srcset=\"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-1024x585.png 1024w, https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-300x171.png 300w, https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-768x439.png 768w, https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-1536x877.png 1536w, https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-2048x1170.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"tcpdump_to_figure_out_the_force_ssh_attack_from_the_server\"><\/span>tcpdump to figure out the force ssh attack from the server<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code> sudo tcpdump -vv -i eth0 src 165.227.xx.xx and not dst 101.230.xx.xx  port 22 -X -n<\/code><\/pre>\n\n\n\n<p>So here we need to exclude the data that I am using connect to<\/p>\n\n\n\n<p>So let&#8217;s monitor the logs, the server is trying to ssh to the other servers.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes\n\n18:24:01.659278 IP (tos 0x0, ttl 64, id 0, offset 0, flags &#91;DF], proto TCP (6), length 60)\n    165.227.51.176.22 > 36.92.214.178.59718: Flags &#91;S.], cksum 0xd4d0 (incorrect -> 0xe8ba), seq 15158420, ack 2800055874, win 65160, options &#91;mss 1460,sackOK,TS val 3933769059 ecr 2697666402,nop,wscale 7], length 0\n\t0x0000:  4500 003c 0000 4000 4006 661a a5e3 33b0  E..&lt;..@.@.f...3.\n\t0x0010:  245c d6b2 0016 e946 00e7 4c94 a6e5 7642  $\\.....F..L...vB\n\t0x0020:  a012 fe88 d4d0 0000 0204 05b4 0402 080a  ................\n\t0x0030:  ea78 8d63 a0cb 1f62 0103 0307            .x.c...b....\n18:24:01.854764 IP (tos 0x0, ttl 64, id 36050, offset 0, flags &#91;DF], proto TCP (6), length 52)\n    165.227.51.176.22 > 36.92.214.178.59718: Flags &#91;.], cksum 0xd4c8 (incorrect -> 0x1270), seq 1, ack 23, win 509, options &#91;nop,nop,TS val 3933769254 ecr 2697666604], length 0\n\t0x0000:  4500 0034 8cd2 4000 4006 d94f a5e3 33b0  E..4..@.@..O..3.\n\t0x0010:  245c d6b2 0016 e946 00e7 4c95 a6e5 7658  $\\.....F..L...vX\n\t0x0020:  8010 01fd d4c8 0000 0101 080a ea78 8e26  .............x.&amp;\n\t0x0030:  a0cb 202c                                ...,\n18:24:01.873054 IP (tos 0x0, ttl 64, id 36051, offset 0, flags &#91;DF], proto TCP (6), length 93)\n    165.227.51.176.22 > 36.92.214.178.59718: Flags &#91;P.], cksum 0xd4f1 (incorrect -> 0xe704), seq 1:42, ack 23, win 509, options &#91;nop,nop,TS val 3933769273 ecr 2697666604], length 41: SSH: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4\n\t0x0000:  4500 005d 8cd3 4000 4006 d925 a5e3 33b0  E..]..@.@..%..3.\n\t0x0010:  245c d6b2 0016 e946 00e7 4c95 a6e5 7658  $\\.....F..L...vX\n\t0x0020:  8018 01fd d4f1 0000 0101 080a ea78 8e39  .............x.9\n\t0x0030:  a0cb 202c 5353 482d 322e 302d 4f70 656e  ...,SSH-2.0-Open\n\t0x0040:  5353 485f 382e 3970 3120 5562 756e 7475  SSH_8.9p1.Ubuntu\n\t0x0050:  2d33 7562 756e 7475 302e 340d 0a         -3ubuntu0.4..\n18:24:02.067852 IP (tos 0x0, ttl 64, id 36052, offset 0, flags &#91;DF], proto TCP (6), length 1132)\n    165.227.51.176.22 > 36.92.214.178.59718: Flags &#91;P.], cksum 0xd900 (incorrect -> 0xa4a9), seq 42:1122, ack 23, win 509, options &#91;nop,nop,TS val 3933769467 ecr 2697666808], length 1080\n\t0x0000:  4500 046c 8cd4 4000 4006 d515 a5e3 33b0  E..l..@.@.....3.\n\t0x0010:  245c d6b2 0016 e946 00e7 4cbe a6e5 7658  $\\.....F..L...vX\n\t0x0020:  8018 01fd d900 0000 0101 080a ea78 8efb  .............x..\n\t0x0030:  a0cb 20f8 0000 0434 0714 2885 704e d88b  .......4..(.pN..\n\t0x0040:  935e b97f ee38 d001 6452 0000 0109 6375  .^...8..dR....cu\n\t0x0050:  7276 6532 3535 3139 2d73 6861 3235 362c  rve25519-sha256,\n\t0x0060:  6375 7276 6532 3535 3139 2d73 6861 3235  curve25519-sha25\n\t0x0070:  3640 6c69 6273 7368 2e6f 7267 2c65 6364  6@libssh.org,ecd\n\t0x0080:  682d 7368 6132 2d6e 6973 7470 3235 362c  h-sha2-nistp256,\n\t0x0090:  6563 6468 2d73 6861 322d 6e69 7374 7033  ecdh-sha2-nistp3\n\t0x00a0:  3834 2c65 6364 682d 7368 6132 2d6e 6973  84,ecdh-sha2-nis\n\t0x00b0:  7470 3532 312c 736e 7472 7570 3736 3178  tp521,sntrup761x\n\t0x00c0:  3235 3531 392d 7368 6135 3132 406f 7065  25519-sha512@ope\n\t0x00d0:  6e73 7368 2e63 6f6d 2c64 6966 6669 652d  nssh.com,diffie-\n\t0x00e0:  6865 6c6c 6d61 6e2d 6772 6f75 702d 6578  hellman-group-ex\n\t0x00f0:  6368 616e 6765 2d73 6861 3235 362c 6469  change-sha256,di\n\t0x0100:  6666 6965 2d68 656c 6c6d 616e 2d67 726f  ffie-hellman-gro\n\t0x0110:  7570 3136 2d73 6861 3531 322c 6469 6666  up16-sha512,diff\n\t0x0120:  6965 2d68 656c 6c6d 616e 2d67 726f 7570  ie-hellman-group\n\t0x0130:  3138 2d73 6861 3531 322c 6469 6666 6965  18-sha512,diffie\n\t0x0140:  2d68 656c 6c6d 616e 2d67 726f 7570 3134  -hellman-group14\n\t0x0150:  2d73 6861 3235 3600 0000 3972 7361 2d73  -sha256...9rsa-s\n\t0x0160:  6861 322d 3531 322c 7273 612d 7368 6132  ha2-512,rsa-sha2\n\t0x0170:  2d32 3536 2c65 6364 7361 2d73 6861 322d  -256,ecdsa-sha2-\n\t0x0180:  6e69 7374 7032 3536 2c73 7368 2d65 6432  nistp256,ssh-ed2\n\t0x0190:  3535 3139 0000 006c 6368 6163 6861 3230  5519...lchacha20\n\t0x01a0:  2d70 6f6c 7931 3330 3540 6f70 656e 7373  -poly1305@openss\n\t0x01b0:  682e 636f 6d2c 6165 7331 3238 2d63 7472  h.com,aes128-ctr\n\t0x01c0:  2c61 6573 3139 322d 6374 722c 6165 7332  ,aes192-ctr,aes2\n\t0x01d0:  3536 2d63 7472 2c61 6573 3132 382d 6763  56-ctr,aes128-gc\n\t0x01e0:  6d40 6f70 656e 7373 682e 636f 6d2c 6165  m@openssh.com,ae\n\t0x01f0:  7332 3536 2d67 636d 406f 7065 6e73 7368  s256-gcm@openssh\n\t0x0200:  2e63 6f6d 0000 006c 6368 6163 6861 3230  .com...lchacha20\n\t0x0210:  2d70 6f6c 7931 3330 3540 6f70 656e 7373  -poly1305@openss\n\t0x0220:  682e 636f 6d2c 6165 7331 3238 2d63 7472  h.com,aes128-ctr\n\t0x0230:  2c61 6573 3139 322d 6374 722c 6165 7332  ,aes192-ctr,aes2\n\t0x0240:  3536 2d63 7472 2c61 6573 3132 382d 6763  56-ctr,aes128-gc\n\t0x0250:  6d40 6f70 656e 7373 682e 636f 6d2c 6165  m@openssh.com,ae\n\t0x0260:  7332 3536 2d67 636d 406f 7065 6e73 7368  s256-gcm@openssh\n\t0x0270:  2e63 6f6d 0000 00d5 756d 6163 2d36 342d  .com....umac-64-\n\t0x0280:  6574 6d40 6f70 656e 7373 682e 636f 6d2c  etm@openssh.com,\n\t0x0290:  756d 6163 2d31 3238 2d65 746d 406f 7065  umac-128-etm@ope\n\t0x02a0:  6e73 7368 2e63 6f6d 2c68 6d61 632d 7368  nssh.com,hmac-sh\n\t0x02b0:  6132 2d32 3536 2d65 746d 406f 7065 6e73  a2-256-etm@opens\n\t0x02c0:  7368 2e63 6f6d 2c68 6d61 632d 7368 6132  sh.com,hmac-sha2\n\t0x02d0:  2d35 3132 2d65 746d 406f 7065 6e73 7368  -512-etm@openssh\n\t0x02e0:  2e63 6f6d 2c68 6d61 632d 7368 6131 2d65  .com,hmac-sha1-e\n\t0x02f0:  746d 406f 7065 6e73 7368 2e63 6f6d 2c75  tm@openssh.com,u\n\t0x0300:  6d61 632d 3634 406f 7065 6e73 7368 2e63  mac-64@openssh.c\n\t0x0310:  6f6d 2c75 6d61 632d 3132 3840 6f70 656e  om,umac-128@open\n\t0x0320:  7373 682e 636f 6d2c 686d 6163 2d73 6861  ssh.com,hmac-sha\n\t0x0330:  322d 3235 362c 686d 6163 2d73 6861 322d  2-256,hmac-sha2-\n\t0x0340:  3531 322c 686d 6163 2d73 6861 3100 0000  512,hmac-sha1...\n\t0x0350:  d575 6d61 632d 3634 2d65 746d 406f 7065  .umac-64-etm@ope\n\t0x0360:  6e73 7368 2e63 6f6d 2c75 6d61 632d 3132  nssh.com,umac-12\n\t0x0370:  382d 6574 6d40 6f70 656e 7373 682e 636f  8-etm@openssh.co\n\t0x0380:  6d2c 686d 6163 2d73 6861 322d 3235 362d  m,hmac-sha2-256-\n\t0x0390:  6574 6d40 6f70 656e 7373 682e 636f 6d2c  etm@openssh.com,\n\t0x03a0:  686d 6163 2d73 6861 322d 3531 322d 6574  hmac-sha2-512-et\n\t0x03b0:  6d40 6f70 656e 7373 682e 636f 6d2c 686d  m@openssh.com,hm\n\t0x03c0:  6163 2d73 6861 312d 6574 6d40 6f70 656e  ac-sha1-etm@open\n\t0x03d0:  7373 682e 636f 6d2c 756d 6163 2d36 3440  ssh.com,umac-64@\n\t0x03e0:  6f70 656e 7373 682e 636f 6d2c 756d 6163  openssh.com,umac\n\t0x03f0:  2d31 3238 406f 7065 6e73 7368 2e63 6f6d  -128@openssh.com\n\t0x0400:  2c68 6d61 632d 7368 6132 2d32 3536 2c68  ,hmac-sha2-256,h\n\t0x0410:  6d61 632d 7368 6132 2d35 3132 2c68 6d61  mac-sha2-512,hma\n\t0x0420:  632d 7368 6131 0000 0015 6e6f 6e65 2c7a  c-sha1....none,z\n\t0x0430:  6c69 6240 6f70 656e 7373 682e 636f 6d00  lib@openssh.com.\n\t0x0440:  0000 156e 6f6e 652c 7a6c 6962 406f 7065  ...none,zlib@ope\n\t0x0450:  6e73 7368 2e63 6f6d 0000 0000 0000 0000  nssh.com........\n\t0x0460:  0000 0000 0000 0000 0000 0000            ............\n18:24:02.112049 IP (tos 0x0, ttl 64, id 36053, offset 0, flags &#91;DF], proto TCP (6), length 52)\n    165.227.51.176.22 > 36.92.214.178.59718: Flags &#91;.], cksum 0xd4c8 (incorrect -> 0x0878), seq 1122, ack 999, win 502, options &#91;nop,nop,TS val 3933769512 ecr 2697666808], length 0<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Find_out_the_process\"><\/span>Find out the process<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>>><strong>So how can I know which process is doing the ssh connection?<\/strong><\/p>\n\n\n\n<p>GPT-4 Response<\/p>\n\n\n\n<p>If you want to check which processes are making SSH connections on your machine, you can use the <code>netstat<\/code>, <code>lsof<\/code> or <code>ss<\/code> commands combined with <code>grep<\/code> to filter the results.<\/p>\n\n\n\n<p>Here are three options:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Using <code>netstat<\/code> with <code>grep<\/code>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   netstat -tunp | grep ':22'<\/code><\/pre>\n\n\n\n<p>The <code>-tunp<\/code> options represent TCP, UDP, numeric (don&#8217;t resolve names), and programs respectively.<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>Using <code>lsof<\/code> with <code>grep<\/code>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   lsof -i :22<\/code><\/pre>\n\n\n\n<p>This commands lists all the processes using Internet connections on port 22.<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>Using <code>ss<\/code> with <code>grep<\/code>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   ss -tunp | grep ':22'<\/code><\/pre>\n\n\n\n<p>The <code>-tunp<\/code> options represent TCP, UDP, numeric (don&#8217;t resolve names), and processes respectively.<\/p>\n\n\n\n<p>All of these commands will display a list of active SSH connections along with the PID (Process ID) and the name of the process which is holding that connection. You will need root privileges (<code>sudo<\/code>) to see all information.<\/p>\n\n\n\n<p>It&#8217;s a good practice to keep an eye on active connections, especially if you suspect unauthorized activity. Always be sure you trust the processes that are making SSH connections from your machine.<\/p>\n\n\n\n<p><strong>>>Here I use the ss command to find out one connection is not my connection<\/strong><\/p>\n\n\n\n<p><code>tcp ESTAB 0 532 165.227.51.176:22 36.92.214.178:40918 users:((\"sshd\",pid=655101,fd=4),(\"sshd\",pid=655095,fd=4))<\/code><\/p>\n\n\n\n<p><strong>So write the bash script to loop check the command outputs, and excluded the 100.117.199.33 and 101.230.72.103(which can be configed, it&#8217;s my machine), then get the pid, and printout the pid information, so I can know which file\/process is running in the background<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ss -tunp | grep ':22'\n\ntcp   ESTAB      0      124    165.227.51.176:22     100.117.199.33:65038 users:((\"sshd\",pid=654707,fd=4),(\"sshd\",pid=654658,fd=4))\ntcp   ESTAB      0      532    165.227.51.176:22      36.92.214.178:40918 users:((\"sshd\",pid=655101,fd=4),(\"sshd\",pid=655095,fd=4))\ntcp   ESTAB      0      0      165.227.51.176:22     101.230.72.103:8857  users:((\"sshd\",pid=653119,fd=4),(\"sshd\",pid=653030,fd=4))<\/code><\/pre>\n\n\n\n<p>Yes, you can indeed write a Bash script that will automate the process of checking for unwanted SSH connections. Here&#8217;s an example of how you can achieve this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/bash\n\n# Define the IP addresses to exclude (comma-separated, without spaces)\nexclude_ips=\"100.117.199.33,101.230.72.103\"\n\nwhile true\ndo\n    sudo ss -tunp | grep ':22' | while read line \n    do\n        if echo $line | grep -qE $(echo $exclude_ips | tr \",\" \"|\"); then\n            continue\n        else\n            pid=$(echo $line | sed -n -r 's\/.*pid=(&#91;0-9]+).*\/\\1\/p')\n            echo \"Unusual SSH connection found from:\"\n            echo $line\n            echo \"Here are more details about the process with PID: $pid\"\n            ps -f -p $pid\n            # Uncomment below line if you want to kill the process\n            # kill -9 $pid\n            echo \"-----------\"\n        fi\n    done\n\n    # Wait for 5 seconds before the next check\n    sleep 5\ndone<\/code><\/pre>\n\n\n\n<p>This script will continuously monitor for new SSH connections, excluding the ones from IP addresses you specified. If it finds a connection from an IP address not in the exclude list, it will print the details of that connection along with information about the process that owns the connection.<\/p>\n\n\n\n<p>Remember to make the script executable with <code>chmod +x scriptname.sh<\/code> before running it.<\/p>\n\n\n\n<p>Please do remember that killing a process should always be your last resort as it can lead to data corruption\/loss.<\/p>\n\n\n\n<p>>><strong>And I got some logs<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>www-data  537886  537882  0 Nov20 ?        00:02:34 nginx: worker process\n-----------\nUnusual SSH connection found from:\ntcp ESTAB 0 0 165.227.51.176:22 218.92.0.51:30886 users:((\"sshd\",pid=663116,fd=4))\nHere are more details about the process with PID: 663116\nUID          PID    PPID  C STIME TTY          TIME CMD\nroot      663116     814  0 18:51 ?        00:00:00 sshd: &#91;accepted]\n-----------\nUnusual SSH connection found from:\ntcp ESTAB 0 0 165.227.51.176:443 47.128.53.113:22290 users:((\"nginx\",pid=537886,fd=48))\nHere are more details about the process with PID: 537886\nUID          PID    PPID  C STIME TTY          TIME CMD\nwww-data  537886  537882  0 Nov20 ?        00:02:34 nginx: worker process\n-----------\nUnusual SSH connection found from:\ntcp ESTAB 0 0 165.227.51.176:443 172.69.23.105:22256 users:((\"nginx\",pid=537886,fd=49))\nHere are more details about the process with PID: 537886\nUID          PID    PPID  C STIME TTY          TIME CMD\nwww-data  537886  537882  0 Nov20 ?        00:02:34 nginx: worker process\n-----------\nUnusual SSH connection found from:\ntcp ESTAB 0 0 165.227.51.176:22 218.92.0.51:30886 users:((\"sshd\",pid=663116,fd=4))\nHere are more details about the process with PID: 663116\nUID          PID    PPID  C STIME TTY          TIME CMD\nroot      663116     814  0 18:51 ?        00:00:00 sshd: &#91;accepted]\n<\/code><\/pre>\n\n\n\n<p>Based on the logs you provided, here&#8217;s what I can observe:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>There are several connections established from your machine to remote IP addresses over common ports such as 22 (SSH) and 443 (HTTPS).<\/li>\n\n\n\n<li>The processes making these connections are:<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>sshd<\/code> (PID: 663116), which is the OpenSSH server process, suggests incoming SSH connections to your machine.<\/li>\n\n\n\n<li><code>nginx<\/code> (PID: 537886), which is a popular web server and reverse proxy server. You can see in the logs that from PID 663116, there have been an unknown incoming SSH connection from the IP address 218.92.0.51. Also, from PID 537886 the <code>nginx<\/code> process has made connections to two different remote addresses: 47.128.53.113 and 172.69.23.105. These are likely regular web traffic, but if you did not expect it, further investigation would be prudent.<\/li>\n<\/ul>\n\n\n\n<p>Without more context, it&#8217;s unclear whether these connections are normal operations or indicative of a problem. It will depend on what these services are usually doing on your system.<\/p>\n\n\n\n<p>For the <code>nginx<\/code> process connections, you may want to inspect the nginx access and error logs for any unusual requests or activities.<\/p>\n\n\n\n<p>For the SSH connection, if this connection is not made by you, it is definitely suspicious. You might want to check the auth logs (<code>\/var\/log\/auth.log<\/code>) for further details.<\/p>\n\n\n\n<p>Please ensure to have your system and services updated to the latest security patches. Also, regularly monitor system logs and network activities to keep your system secure.<br>>><strong>In general the nginx should not call the ssh connection to the other server, right?<\/strong><\/p>\n\n\n\n<p>That&#8217;s correct, under normal circumstances, it&#8217;s unlikely for Nginx, a web server, to initiate SSH connections by itself. The Nginx service typically serves HTTP and HTTPS requests and doesn&#8217;t connect to other servers using SSH.<\/p>\n\n\n\n<p>The log you&#8217;ve shared indicates that Nginx is connecting to a remote server on port 443 (HTTPS), which is expected if it&#8217;s configured to act as a reverse proxy fetching data from that server. Nginx doesn&#8217;t establish SSH connections.<\/p>\n\n\n\n<p>If you see SSH connections originating from the Nginx process, that&#8217;s unusual and could potentially be a sign of a misconfiguration or even malicious activity such as an exploit of a vulnerability in Nginx or one of your web applications running under Nginx. In such a case, it would be prudent to perform a thorough security review and possibly engage a professional organization specializing in this if needed.<\/p>\n\n\n\n<p>>><strong>How to print more information the PID, e.g. which file is executing<\/strong><\/p>\n\n\n\n<p>To find detailed information about the process, such as which file is executing, you can use a few different commands. Here are a few examples using the PID:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Using <code>\/proc\/[PID]\/exe<\/code>: The <code>\/proc<\/code> filesystem provides a lot of information about running processes. For any given process PID, <code>\/proc\/[PID]\/exe<\/code> is a symbolic link that points to the executable of the process.<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   ls -l \/proc\/537886\/exe<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>Using <code>lsof<\/code>: This provides a list of files that are opened by the process.<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   lsof -p 537886<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>Use <code>ps<\/code>. This prints current information about the process, including the command that was used to run it.<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   ps -fp 537886<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"4\">\n<li><code>pwdx<\/code>: This command provides the current working directory of the process.<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   pwdx 537886<\/code><\/pre>\n\n\n\n<p>Remember to replace <code>537886<\/code> with the PID in question. All of these commands can be used to gather more information about the process that is currently running.<\/p>\n\n\n\n<p><strong>>>So update the scripts<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/bash\n\n# Define the IP addresses to exclude (comma-separated, without spaces)\nexclude_ips=\"100.117.199.33,101.230.72.103\"\n\nwhile true\ndo\n    # Find unwanted ssh connections\n    sudo ss -tunp | grep 'sshd' | grep ':22' | while read line \n    do\n        if echo $line | grep -qE $(echo $exclude_ips | tr \",\" \"|\"); then\n            continue\n        else\n            pid=$(echo $line | sed -n -r 's\/.*pid=(&#91;0-9]+).*\/\\1\/p')\n\n            echo \"Unusual SSH connection found from:\"\n            echo $line\n\n            echo \"Here are more details about the process with PID: $pid\"\n\n            # Information about the process executing file\n            echo \"&lt;&lt;Process Executing File>>\"\n            sudo ls -l \/proc\/$pid\/exe\n\n            # Information about the process files\n            echo \"&lt;&lt;Process Files>>\"\n            sudo lsof -p $pid\n\n            # Detailed information about the process\n            echo \"&lt;&lt;Process Info>>\"\n            ps -fp $pid\n\n            # Current working directory of the process\n            echo \"&lt;&lt;Process Working Directory>>\"\n            sudo pwdx $pid\n\n            echo \"-----------\"\n        fi\n    done\n\n    # Wait for 5 seconds before the next check\n    sleep 5\ndone\n<\/code><\/pre>\n\n\n\n<p><strong>>>The script has some problem, and here need to remove grep &#8216;sshd&#8217;<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    sudo ss -tunp | grep 'sshd' | grep ':22' | while read line \n<\/code><\/pre>\n\n\n\n<p><strong>>>So I got some logs<\/strong>, it seems the nginx have some problem, so no idea what&#8217;s going on.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-----------\nUnusual SSH connection found from:\ntcp ESTAB 0 0 165.227.51.176:443 172.71.159.62:22620 users:((\"nginx\",pid=678521,fd=14))\nHere are more details about the process with PID: 678521\n&lt;&lt;Process Executing File>>\nlrwxrwxrwx 1 www-data www-data 0 Nov 21 19:11 \/proc\/678521\/exe -> \/usr\/sbin\/nginx\n&lt;&lt;Process Files>>\nCOMMAND    PID     USER   FD      TYPE             DEVICE SIZE\/OFF    NODE NAME\nnginx   678521 www-data  cwd       DIR              252,1     4096       2 \/\nnginx   678521 www-data  rtd       DIR              252,1     4096       2 \/\nnginx   678521 www-data  txt       REG              252,1  1240136  918417 \/usr\/sbin\/nginx\nnginx   678521 www-data  mem       REG              252,1   309600  919685 \/usr\/lib\/x86_64-linux-gnu\/libnss_systemd.so.2\nnginx   678521 www-data  DEL       REG                0,1          6388434 \/dev\/zero\nnginx   678521 www-data  mem       REG              252,1    68552  934912 \/usr\/lib\/x86_64-linux-gnu\/libresolv.so.2\nnginx   678521 www-data  mem       REG              252,1    22600 1013751 \/usr\/lib\/x86_64-linux-gnu\/libkeyutils.so.1.9\nnginx   678521 www-data  mem       REG              252,1    52016  921085 \/usr\/lib\/x86_64-linux-gnu\/libkrb5support.so.0.1\nnginx   678521 www-data  mem       REG              252,1    18504 1013745 \/usr\/lib\/x86_64-linux-gnu\/libcom_err.so.2.1\nnginx   678521 www-data  mem       REG              252,1   182864  918286 \/usr\/lib\/x86_64-linux-gnu\/libk5crypto.so.3.1\nnginx   678521 www-data  mem       REG              252,1   827936  922399 \/usr\/lib\/x86_64-linux-gnu\/libkrb5.so.3.3\nnginx   678521 www-data  mem       REG              252,1   338648  918905 \/usr\/lib\/x86_64-linux-gnu\/libgssapi_krb5.so.2.2\nnginx   678521 www-data  mem       REG              252,1   182912 1013742 \/usr\/lib\/x86_64-linux-gnu\/libtirpc.so.3.0.0\nnginx   678521 www-data  mem       REG              252,1    93280  928845 \/usr\/lib\/x86_64-linux-gnu\/libnsl.so.2.0.1\nnginx   678521 www-data  mem       REG              252,1    55808 1013736 \/usr\/lib\/x86_64-linux-gnu\/libnss_nis.so.2.0.0\nnginx   678521 www-data  mem       REG              252,1    44024  934900 \/usr\/lib\/x86_64-linux-gnu\/libnss_compat.so.2\nnginx   678521 www-data  mem       REG              252,1  2216304  923246 \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\nnginx   678521 www-data  mem       REG              252,1   108936  918017 \/usr\/lib\/x86_64-linux-gnu\/libz.so.1.2.11\nnginx   678521 www-data  mem       REG              252,1  4451632  921043 \/usr\/lib\/x86_64-linux-gnu\/libcrypto.so.3\nnginx   678521 www-data  mem       REG              252,1   667864  921044 \/usr\/lib\/x86_64-linux-gnu\/libssl.so.3\nnginx   678521 www-data  mem       REG              252,1   477296 1013769 \/usr\/lib\/x86_64-linux-gnu\/libpcre.so.3.13.3\nnginx   678521 www-data  mem       REG              252,1   198664 1013758 \/usr\/lib\/x86_64-linux-gnu\/libcrypt.so.1.1.0\nnginx   678521 www-data  mem       REG              252,1   240936  918569 \/usr\/lib\/x86_64-linux-gnu\/ld-linux-x86-64.so.2\nnginx   678521 www-data  DEL       REG                0,1          6388435 \/dev\/zero\nnginx   678521 www-data    0u      CHR                1,3      0t0       5 \/dev\/null\nnginx   678521 www-data    1u      CHR                1,3      0t0       5 \/dev\/null\nnginx   678521 www-data    2w      REG              252,1    73824  393461 \/var\/log\/nginx\/error.log\nnginx   678521 www-data    3u     IPv4            3635152      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.69.23.194:11840 (ESTABLISHED)\nnginx   678521 www-data    4w      REG              252,1    73824  393461 \/var\/log\/nginx\/error.log\nnginx   678521 www-data    5u     unix 0xffff92c3c4199dc0      0t0 3609748 type=STREAM\nnginx   678521 www-data    6u     IPv4            2914913      0t0     TCP *:http (LISTEN)\nnginx   678521 www-data    7u     IPv4            2914914      0t0     TCP *:https (LISTEN)\nnginx   678521 www-data    8u     IPv6            2914915      0t0     TCP *:http (LISTEN)\nnginx   678521 www-data    9u  a_inode               0,14        0   12477 &#91;eventpoll]\nnginx   678521 www-data   10w      REG              252,1  4306893  393353 \/var\/log\/nginx\/access.log\nnginx   678521 www-data   11u  a_inode               0,14        0   12477 &#91;eventfd]\nnginx   678521 www-data   12u     IPv4            3660000      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.69.23.203:46174 (ESTABLISHED)\nnginx   678521 www-data   13u     IPv4            3660003      0t0     TCP localhost:35822->localhost:21307 (ESTABLISHED)\nnginx   678521 www-data   14u     IPv4            3640297      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.71.159.62:22620 (ESTABLISHED)\nnginx   678521 www-data   15u     IPv4            3645173      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->ec2-47-128-39-69.ap-southeast-1.compute.amazonaws.com:12852 (ESTABLISHED)\nnginx   678521 www-data   16u     IPv4            3649346      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->ec2-47-128-50-166.ap-southeast-1.compute.amazonaws.com:50742 (ESTABLISHED)\nnginx   678521 www-data   17u     IPv4            3633140      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->ec2-47-128-28-172.ap-southeast-1.compute.amazonaws.com:23546 (ESTABLISHED)\nnginx   678521 www-data   18u     IPv4            3652681      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.71.158.175:27534 (ESTABLISHED)\nnginx   678521 www-data   19u     IPv4            3653597      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->ec2-47-128-36-192.ap-southeast-1.compute.amazonaws.com:51360 (ESTABLISHED)\nnginx   678521 www-data   20u     IPv4            3638677      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->ec2-47-128-39-92.ap-southeast-1.compute.amazonaws.com:11358 (ESTABLISHED)\nnginx   678521 www-data   21u     IPv4            3654651      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->162.158.166.240:44088 (ESTABLISHED)\nnginx   678521 www-data   22u     IPv4            3656031      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.69.22.188:59364 (ESTABLISHED)\nnginx   678521 www-data   23u     IPv4            3640664      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->ec2-47-128-39-8.ap-southeast-1.compute.amazonaws.com:32148 (ESTABLISHED)\nnginx   678521 www-data   24u     IPv4            3634798      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->ec2-47-128-18-196.ap-southeast-1.compute.amazonaws.com:30886 (ESTABLISHED)\nnginx   678521 www-data   25u     IPv4            3658718      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->ec2-47-128-27-156.ap-southeast-1.compute.amazonaws.com:48594 (ESTABLISHED)\nnginx   678521 www-data   26u     IPv4            3614112      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.69.23.107:10872 (ESTABLISHED)\nnginx   678521 www-data   27u     IPv4            3628738      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.69.23.177:26760 (ESTABLISHED)\nnginx   678521 www-data   28u     IPv4            3614113      0t0     TCP localhost:41336->localhost:21307 (ESTABLISHED)\nnginx   678521 www-data   34u     IPv4            3635046      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.71.159.28:44026 (ESTABLISHED)\nnginx   678521 www-data   36u     IPv4            3636306      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.69.22.39:54134 (ESTABLISHED)\nnginx   678521 www-data   37u     IPv4            3636307      0t0     TCP localhost:32820->localhost:21307 (ESTABLISHED)\nnginx   678521 www-data   38u     IPv4            3636503      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.69.23.89:41840 (ESTABLISHED)\nnginx   678521 www-data   39u     IPv4            3637091      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->ec2-47-128-39-81.ap-southeast-1.compute.amazonaws.com:44492 (ESTABLISHED)\nnginx   678521 www-data   40u     IPv4            3643796      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.69.134.181:61650 (ESTABLISHED)\nnginx   678521 www-data   43u     IPv4            3636519      0t0     TCP pjqmes1vcpu1gbsfo2-s-1vcpu-1gb-sfo2-01:https->172.69.134.83:63856 (ESTABLISHED)\n&lt;&lt;Process Info>>\nUID          PID    PPID  C STIME TTY          TIME CMD\nwww-data  678521  537882  0 19:01 ?        00:00:00 nginx: worker process\n&lt;&lt;Process Working Directory>>\n678521: \/\n-----------<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Background 8 security vendors flagged this URL as malicious tcpdump to figure out the force ssh attack from the server So here we need to exclude the data that I am using connect to So let&#8217;s monitor the logs, the<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2083","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>My server is flagged as hacked - Jianqing&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/pjq.me\/?p=2083\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"My server is flagged as hacked - Jianqing&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"Background 8 security vendors flagged this URL as malicious tcpdump to figure out the force ssh attack from the server So here we need to exclude the data that I am using connect to So let&#8217;s monitor the logs, the\" \/>\n<meta property=\"og:url\" content=\"https:\/\/pjq.me\/?p=2083\" \/>\n<meta property=\"og:site_name\" content=\"Jianqing&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-21T10:31:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-21T11:14:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-1024x585.png\" \/>\n<meta name=\"author\" content=\"pengjianqing\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"pengjianqing\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/pjq.me\/?p=2083#article\",\"isPartOf\":{\"@id\":\"https:\/\/pjq.me\/?p=2083\"},\"author\":{\"name\":\"pengjianqing\",\"@id\":\"https:\/\/pjq.me\/#\/schema\/person\/0eb1e72d1e69fbbd9b5c0bfd8e2aae60\"},\"headline\":\"My server is flagged as hacked\",\"datePublished\":\"2023-11-21T10:31:20+00:00\",\"dateModified\":\"2023-11-21T11:14:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/pjq.me\/?p=2083\"},\"wordCount\":963,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/pjq.me\/#\/schema\/person\/0eb1e72d1e69fbbd9b5c0bfd8e2aae60\"},\"image\":{\"@id\":\"https:\/\/pjq.me\/?p=2083#primaryimage\"},\"thumbnailUrl\":\"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-1024x585.png\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/pjq.me\/?p=2083#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/pjq.me\/?p=2083\",\"url\":\"https:\/\/pjq.me\/?p=2083\",\"name\":\"My server is flagged as hacked - Jianqing&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\/\/pjq.me\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/pjq.me\/?p=2083#primaryimage\"},\"image\":{\"@id\":\"https:\/\/pjq.me\/?p=2083#primaryimage\"},\"thumbnailUrl\":\"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-1024x585.png\",\"datePublished\":\"2023-11-21T10:31:20+00:00\",\"dateModified\":\"2023-11-21T11:14:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/pjq.me\/?p=2083#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/pjq.me\/?p=2083\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/pjq.me\/?p=2083#primaryimage\",\"url\":\"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image.png\",\"contentUrl\":\"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image.png\",\"width\":3456,\"height\":1974},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/pjq.me\/?p=2083#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/pjq.me\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"My server is flagged as hacked\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/pjq.me\/#website\",\"url\":\"https:\/\/pjq.me\/\",\"name\":\"Jianqing&#039;s Blog\",\"description\":\"Thoughts and Future\",\"publisher\":{\"@id\":\"https:\/\/pjq.me\/#\/schema\/person\/0eb1e72d1e69fbbd9b5c0bfd8e2aae60\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/pjq.me\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/pjq.me\/#\/schema\/person\/0eb1e72d1e69fbbd9b5c0bfd8e2aae60\",\"name\":\"pengjianqing\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/pjq.me\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/pjq.me\/wp-content\/uploads\/2021\/12\/Screen-Shot-2021-12-02-at-6.10.58-PM.png\",\"contentUrl\":\"https:\/\/pjq.me\/wp-content\/uploads\/2021\/12\/Screen-Shot-2021-12-02-at-6.10.58-PM.png\",\"width\":460,\"height\":752,\"caption\":\"pengjianqing\"},\"logo\":{\"@id\":\"https:\/\/pjq.me\/#\/schema\/person\/image\/\"},\"url\":\"https:\/\/pjq.me\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"My server is flagged as hacked - Jianqing&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/pjq.me\/?p=2083","og_locale":"en_US","og_type":"article","og_title":"My server is flagged as hacked - Jianqing&#039;s Blog","og_description":"Background 8 security vendors flagged this URL as malicious tcpdump to figure out the force ssh attack from the server So here we need to exclude the data that I am using connect to So let&#8217;s monitor the logs, the","og_url":"https:\/\/pjq.me\/?p=2083","og_site_name":"Jianqing&#039;s Blog","article_published_time":"2023-11-21T10:31:20+00:00","article_modified_time":"2023-11-21T11:14:51+00:00","og_image":[{"url":"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-1024x585.png","type":"","width":"","height":""}],"author":"pengjianqing","twitter_card":"summary_large_image","twitter_misc":{"Written by":"pengjianqing","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/pjq.me\/?p=2083#article","isPartOf":{"@id":"https:\/\/pjq.me\/?p=2083"},"author":{"name":"pengjianqing","@id":"https:\/\/pjq.me\/#\/schema\/person\/0eb1e72d1e69fbbd9b5c0bfd8e2aae60"},"headline":"My server is flagged as hacked","datePublished":"2023-11-21T10:31:20+00:00","dateModified":"2023-11-21T11:14:51+00:00","mainEntityOfPage":{"@id":"https:\/\/pjq.me\/?p=2083"},"wordCount":963,"commentCount":0,"publisher":{"@id":"https:\/\/pjq.me\/#\/schema\/person\/0eb1e72d1e69fbbd9b5c0bfd8e2aae60"},"image":{"@id":"https:\/\/pjq.me\/?p=2083#primaryimage"},"thumbnailUrl":"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-1024x585.png","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/pjq.me\/?p=2083#respond"]}]},{"@type":"WebPage","@id":"https:\/\/pjq.me\/?p=2083","url":"https:\/\/pjq.me\/?p=2083","name":"My server is flagged as hacked - Jianqing&#039;s Blog","isPartOf":{"@id":"https:\/\/pjq.me\/#website"},"primaryImageOfPage":{"@id":"https:\/\/pjq.me\/?p=2083#primaryimage"},"image":{"@id":"https:\/\/pjq.me\/?p=2083#primaryimage"},"thumbnailUrl":"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image-1024x585.png","datePublished":"2023-11-21T10:31:20+00:00","dateModified":"2023-11-21T11:14:51+00:00","breadcrumb":{"@id":"https:\/\/pjq.me\/?p=2083#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/pjq.me\/?p=2083"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/pjq.me\/?p=2083#primaryimage","url":"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image.png","contentUrl":"https:\/\/pjq.me\/wp-content\/uploads\/2023\/11\/image.png","width":3456,"height":1974},{"@type":"BreadcrumbList","@id":"https:\/\/pjq.me\/?p=2083#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/pjq.me\/"},{"@type":"ListItem","position":2,"name":"My server is flagged as hacked"}]},{"@type":"WebSite","@id":"https:\/\/pjq.me\/#website","url":"https:\/\/pjq.me\/","name":"Jianqing&#039;s Blog","description":"Thoughts and Future","publisher":{"@id":"https:\/\/pjq.me\/#\/schema\/person\/0eb1e72d1e69fbbd9b5c0bfd8e2aae60"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/pjq.me\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/pjq.me\/#\/schema\/person\/0eb1e72d1e69fbbd9b5c0bfd8e2aae60","name":"pengjianqing","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/pjq.me\/#\/schema\/person\/image\/","url":"https:\/\/pjq.me\/wp-content\/uploads\/2021\/12\/Screen-Shot-2021-12-02-at-6.10.58-PM.png","contentUrl":"https:\/\/pjq.me\/wp-content\/uploads\/2021\/12\/Screen-Shot-2021-12-02-at-6.10.58-PM.png","width":460,"height":752,"caption":"pengjianqing"},"logo":{"@id":"https:\/\/pjq.me\/#\/schema\/person\/image\/"},"url":"https:\/\/pjq.me\/?author=1"}]}},"views":1456,"_links":{"self":[{"href":"https:\/\/pjq.me\/index.php?rest_route=\/wp\/v2\/posts\/2083","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pjq.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pjq.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pjq.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pjq.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2083"}],"version-history":[{"count":2,"href":"https:\/\/pjq.me\/index.php?rest_route=\/wp\/v2\/posts\/2083\/revisions"}],"predecessor-version":[{"id":2086,"href":"https:\/\/pjq.me\/index.php?rest_route=\/wp\/v2\/posts\/2083\/revisions\/2086"}],"wp:attachment":[{"href":"https:\/\/pjq.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2083"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pjq.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2083"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pjq.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2083"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}