0

I've an issue with my Google Cloud compute VM. It's running Ubuntu 14.04, Apache2, PHP and Percona MySQL.

The server won't respond to TCP connections on port 80. I can connect via SSH, and the server appears to be normal.

I found a couple of dodgy looking files which I've attached [Not attached any more], they seem to have been some kind of data gatherers. I've removed the files, and am assuming Google have blocked my instance from it's network for web traffic.

I'm at a bit of a loss as I've no idea where to go from here. The server is being hammered by lots of different IP with requests for these files.

Any advice is much appreciated.

EDIT: This question isn't about how to deal with a compromised server. It's about how to get Google to allow traffic to the VM again. As I've not got any notifications, statuses or anything to go by in my GCC control panels.

EEAA
  • 108,414
  • 18
  • 172
  • 242
i-CONICA
  • 630
  • 1
  • 9
  • 22
  • 1
    It absolutely *is* about dealing with a compromised server. If you only removed the files, your server is still compromised. Beyond that, you'll need to speak with Google Support about why they firewalled off your server. None of us can help you with that. – EEAA Nov 29 '15 at 23:00
  • For anyone else in my position, I fixed it by taking a snapshot of my instance's storage volume, then spinning up another instance using that snapshot. It gave me a new server that's not on the same IP and so not firewalled off. I've since fixed the security vulnerabilities. – i-CONICA Nov 30 '15 at 14:48
  • No, you haven't. Unless you built your server from scratch, you should still consider it as compromised. – EEAA Nov 30 '15 at 16:30
  • I said I've fixed the security vulnerabilities. It was insecure permissions. Even in it's fixed state, I was still unable to get web traffic through to the VM. I created the new VM instance to get a new non-blacklisted IP. The VM is no longer compromised as I've cleaned up the offending files and repaired the vulnerability. Do you still disagree? – i-CONICA Dec 01 '15 at 11:00
  • Read the duplicate question and you'll understand why you need to rebuild the server from scratch. – EEAA Dec 01 '15 at 11:39
  • I have read it, years ago and yesterday. No damage was done. I run incremental backups and have checked logs to see if any unexpected files have appeared anywhere in the system, not that the two files in question were coded to do anything like that anyway. Can you not enlighten me? – i-CONICA Dec 01 '15 at 11:44

0 Answers0