0

Server setup: Ubuntu 18.04.6 LTS running Gitlab self-hosted

I received an email from gcloud saying the server(VM) might have been compromised and used for cryptocurrency mining. It also mentioned the destination IP of that server.

So this is what I'm trying to figure out:

  1. If there was any connection made to that IP from my server
  2. If yes, find the source file in the server that could have made the connection
Manas
  • 101
  • 2
  • 3
    Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – djdomi Nov 01 '21 at 16:22
  • 3
    If the notice is from Google, shut down the virtual machine now. Then investigate. Create a snapshot of the disk, create a new disk from the snapshot and mount the snapshot on another instance. Unless you have strong skills in forensics, either hire someone that does or destroy the original instance and attempt to recover your files from the disk created from the snapshot. Some cryptominging software do not damage/corrupt your files, They just want CPU time. Others are very dangerous. – John Hanley Nov 02 '21 at 01:16
  • 1
    Check your CPU usage as Crypto mining requires huge amounts of CPU/GPU processing. Since your VM is in GCP you can check from the [dashboard](https://cloud.google.com/spanner/docs/cpu-utilization). Use [commands](https://www.cyberciti.biz/faq/how-to-check-running-process-in-linux-using-command-line/) to check foreign processes which are running on your VM and delete it with SSH FTP. If you can’t find what’s exactly eating your CPU and if your Gitlab is slow you need to try to restore it from the last healthy backup [snapshot](https://cloud.google.com/compute/docs/disks/create-snapshots). – Fariya Rahmat Nov 02 '21 at 07:48
  • Thank you guys for the suggestions. After investigating the issue, the server storage space was full and the recent behind was that gitlab didn't delete the old backups as per the settings (to delete backups after 7 days). So I deleted the old backups and updated gitlab version. – Manas Nov 07 '21 at 10:44

0 Answers0