On 2014-10-25 16:36, Nick Sheppard wrote:
For the last month I've been running a middle relay (no guard flag yet) on a 512 MB VPS provided by Edis.at in Switzerland (4.99 euro per
You are aware that Edis is considered a bit shady I hope; though this is likely because they attract a lot of cheap customers and thus get a lot of abuse out of their network. The question becomes at one point if it is a separate customer or themselves though.
Also note that they are just reselling other peoples services, hence why they are cheap as they oversubscribe a lot.
The Solus control panel traffic graph started showing (a very small
That Solus control panel could have been a way in to your system.
What kind of virtualization is used?
[..]
Each block is always 5 lines, and the names (always 10 lower-case letters) seem to be different every time. The blocks change fairly regularly every second or two.
The virus/bot/etc is respawning processes so that nobody can easily kill them.
pstree will show you where the process comes from originally.
The random name makes classification easier.
[..]
Eventually I'll have to reinstall everything from scratch, straightforward enough, but what can I do to make sure it doesn't happen again? Would hardening my iptables work? Has anyone else seen this?
Actually secure a machine.
Most likely they just guessed your password by an automated SSH login botnet.
Using SSH keys, firewalling SSH off except for trusted hosts and not having any services listening that you do not want are key to a properly secured system. There are lots of articles on the interwebz about it.
Greets, Jeroen