Find and kill process that create malicious connections

Question

State      Recv-Q Send-Q        Local Address:Port            Peer Address:Port   
FIN-WAIT-1 0      3640        my.public.ip.xx:https          xxx.xx.xxx.xx:56206   
SYN-SENT   0      1           my.public.ip.xx:55380          suspicious.ip1:9001     users:(("zpanel-cgi",4274,3))
FIN-WAIT-1 0      178         my.public.ip.xx:https          xxx.xx.xxx.xx6:56204   
FIN-WAIT-1 0      3640        my.public.ip.xx:https          xxx.xx.xxx.xx:3275    
ESTAB      0      304         my.public.ip.xx:ssh            my.local.ip.x:32806    users:(("sshd",13981,3))
FIN-WAIT-1 0      178         my.public.ip.xx:https          xxx.xx.xxx.xx:3263    
SYN-SENT   0      1           my.public.ip.xx:42411          suspicious.ip2:whois    users:(("whois",14681,175))
FIN-WAIT-1 0      70          my.public.ip.xx:https          xxx.xx.xxx.xx:56198   
ESTAB      0      0           my.public.ip.xx:http           xxx.xx.xxx.xx:7497     users:(("apache2",14594,88))

Hi, So my server was compromised a while ago and i am trying to rectify the issues.

My server is running Ubuntu 12.04. As you can see from the log above (resulted from command ss -tp), there are two connections which are aliens (both username cannot be found in the file /etc/passwd

Currently I am using ufw to block all weird incomming/outgoing connections.
My question is how can I fully clear these connections and their parent process/users ?

Answer 1

Nuke it from orbit. It's the only way to be sure.

Seriously, if you're certain your server has been compromised, the only certain way to clean it up is to wipe it clean and rebuild, this time making sure that whatever vulnerability was used isn't present.

Sure, you could spend time playing whack-a-mole, but how can you be sure that you've removed a file, when the attacker could have patched rm and ls to lie to you? Replaced ps and top with versions that won't list the attacker's bot? Replaced ufw to let their connections through without telling you?