1

I have a Debian server, and I was recently contacted by my hosting provider that my server is being used to DDoS people/servers. Is this the cause?

Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed
/tmp/sqlite-3.34.0-773e6a73-9f2b-4302-8ae9-75cd2b81e717-libsqlitejdbc.so
/tmp/sqlite-3.45.0.0-b5534f50-05ff-49b5-a791-7815b18ecca8-libsqlitejdbc.so
/tmp/sqlite-3.34.0-fefef17a-1c51-4c8c-a943-7762e1cba908-libsqlitejdbc.so
/tmp/sqlite-3.34.0-0ab69a31-c3c8-41e5-8a94-5bb2fdb69e9a-libsqlitejdbc.so
/tmp/sqlite-3.28.0-534ac9bb-1e06-473b-bcb8-1f53406d31aa-libsqlitejdbc.so
/tmp/sqlite-3.21.0.1-8fec2456-95f2-4f74-b9cf-35c9426e4a58-libsqlitejdbc.so
/tmp/sqlite-3.45.2.0-2cfa4262-7ccf-484d-ae8e-dae29007ae12-libsqlitejdbc.so
/tmp/sqlite-3.28.0-83975b66-981d-4583-83cf-1163a722a1b2-libsqlitejdbc.so
/tmp/sqlite-3.28.0-1ccf9e03-1458-4195-861c-52402041ec9b-libsqlitejdbc.so

I'm aware that this is a really old malware strain and is most likely a false positive, but what would the cause of these apparent DDoS attacks from my server?

Improve this question
5
  • The /tmp/ folder gets wiped after every reboot so this is sus...
    – Sir Muffington
    Commented Aug 8 at 16:20
  • The fact that you have libraries in /tmp/ is a good indicator that you have malware. Normally there should be no libraries there, and the names obviously attempt to mask as legitimate package.
    – vidarlo
    Commented Aug 8 at 18:54
  • 1
    This question is similar to: How do I deal with a compromised server?. If you believe it’s different, please edit the question, make it clear how it’s different and/or how the answers on that question are not helpful for your problem.
    – vidarlo
    Commented Aug 8 at 18:55
  • @vidarlo These files are created by a Minecraft panel service I am using, Pufferpanel. A upload to VirusTotal shows that they are clean, but it doesn't change that my hosting provider sent me an email stating that my server is being used in DDoS attacks.
    – Server
    Commented Aug 9 at 19:29
  • Sorry, but you haven't provided enough information to get an answer. It's used for some kind of DoS attack, but we don't know how or what...
    – vidarlo
    Commented Aug 9 at 19:41

1 Answer 1

Reset to default
0

You can use tools like auditd or pspy64 to monitor activies inside your system, from the running processes. Also, you could monitor your network activity with more advanced techniques using tshark, wireshark or tcpdump. You can also just check with what servers you're connected to using netstat.

Give it a go and check if you find something useful. You could also upload those suspicious files to VirusTotal and check if they're actually malware and get some more detailed information from those.

Improve this answer
2
  • As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Aug 8 at 20:56
  • The files are clean in VirusTotal. The files also are owned by a Minecraft panel service I'm using, Pufferpanel.
    – Server
    Commented Aug 9 at 19:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .