Red Asteroid Under Attack!

Since the newsletter went out, CPU load on my little box has tripled. Looks like we got somebody’s attention! Checking the logs, I noticed increased load ever since the newsletter went out:

30day

Even worse, this morning the server crashed and was down for hours!

hacks_bw

There were some very strange entries in the system log at the beginning of that time frame, after which all activity mysteriously ceased. Interestingly, the CPU was still active:

hacks_BM_devbox

But no traffic? Maybe someone hijacked the server to make bitcoins. Anyway, I reset the server and noticed the normal increased load was due to sshd activity. Checking the auth.log, I found out my root login was being brute forced. Lucky root logins are completely disabled on my machine.

Some tweaks of the fail2ban settings later, CPU activity is back to normal.

Leave a Reply

Your email address will not be published. Required fields are marked *