Possible attack on my vserver - outgoing tcp/ip connection

Question

I have a suspicious situation on my vServer (Centos 7). An unknown bash script is consuming all the memory from the server. There is a noticeable connection to the "outside".

Unfortunately my Unix knowledge is limited.

How can I forbid a connection to the outside for the user git?

How can I figure out where this bash scripts resides, what the content of the script is?

lsof -p 1577
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1577 git cwd DIR 182,395665 4096 2 /
bash 1577 git rtd DIR 182,395665 4096 2 /
bash 1577 git txt unknown /proc/1577/exe (readlink: No such file or directory)
bash 1577 git mem REG 182,395665 795648 (deleted)/var/tmp/.ICE-unix/.bash/.bash/bash (stat: No such file or directory)
bash 1577 git 0r FIFO 0,8 0t0 3801753555 pipe
bash 1577 git 1w FIFO 0,8 0t0 3801753556 pipe
bash 1577 git 2w FIFO 0,8 0t0 3801753556 pipe
bash 1577 git 3u REG 182.395665 0 5390 /tmp/.lock
bash 1577 git 4u 0000 0,9 0 4145 [eventpoll]
bash 1577 git 5r FIFO 0,8 0t0 3801755403 pipe
bash 1577 git 6w FIFO 0,8 0t0 3801755403 pipe
bash 1577 git 7r FIFO 0,8 0t0 3801755399 pipe
bash 1577 git 8w FIFO 0,8 0t0 3801755399 pipe
bash 1577 git 9u 0000 0,9 0 4145 [eventfd]
bash 1577 git 10r CHR 1,3 0t0 3801397120 /dev/null
bash 1577 git 11u IPv4 3801755495 0t0 TCP <my server IP>:56542->**blackcat.ro:http** (ESTABLISHED)

Answer 1

Depending on your existing firewall setup, it may differ. But commonly you should already have iptables firewall installed.

(Note: if you have firewalld, it can't block an IP address, see here for disable it and switch to iptables)

The first thing you need to know is that you can't block a request to a domain, but you can block using IP instead.

To find the IP, use nslookup. Say nslookup blackcat.ro. You will get list of IPs, you need to block them all. You may see either IPv4 and IPv6 addresses, use one of commands below to block.

iptables -A OUTPUT -p tcp -d <IPv4> -j DROP
ip6tables -A OUTPUT -p tcp -d <IPv6> -j DROP

When done, save your current config so it's not lost.

/sbin/service iptables save
/sbin/service ip6tables save