How to check if any connection was made from my ubuntu server to a specific IP address? (I have the destination Ip address)

Manas

3/1/23, 3:13 PM

Server setup: Ubuntu 18.04.6 LTS running Gitlab self-hosted

I received an email from gcloud saying the server(VM) might have been compromised and used for cryptocurrency mining. It also mentioned the destination IP of that server.

So this is what I'm trying to figure out:

If there was any connection made to that IP from my server
If yes, find the source file in the server that could have made the connection

0 + 0

gcloud

ubuntu-18.04

djdomi

3/1/23, 4:22 PM

Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server)

John Hanley

3/2/23, 1:16 AM

If the notice is from Google, shut down the virtual machine now. Then investigate. Create a snapshot of the disk, create a new disk from the snapshot and mount the snapshot on another instance. Unless you have strong skills in forensics, either hire someone that does or destroy the original instance and attempt to recover your files from the disk created from the snapshot. Some cryptominging software do not damage/corrupt your files, They just want CPU time. Others are very dangerous.

Fariya Rahmat

3/2/23, 7:48 AM

Check your CPU usage as Crypto mining requires huge amounts of CPU/GPU processing. Since your VM is in GCP you can check from the [dashboard](https://cloud.google.com/spanner/docs/cpu-utilization). Use [commands](https://www.cyberciti.biz/faq/how-to-check-running-process-in-linux-using-command-line/) to check foreign processes which are running on your VM and delete it with SSH FTP. If you can’t find what’s exactly eating your CPU and if your Gitlab is slow you need to try to restore it from the last healthy backup [snapshot](https://cloud.google.com/compute/docs/disks/create-snapshots).

Manas

3/7/23, 10:44 AM

Thank you guys for the suggestions. After investigating the issue, the server storage space was full and the recent behind was that gitlab didn't delete the old backups as per the settings (to delete backups after 7 days). So I deleted the old backups and updated gitlab version.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to check if any connection was made from my ubuntu server to a specific IP address? (I have the destination Ip address)

TH: จะตรวจสอบได้อย่างไรว่ามีการเชื่อมต่อใด ๆ จากเซิร์ฟเวอร์อูบุนตูไปยังที่อยู่ IP เฉพาะ (ฉันมีที่อยู่ IP ปลายทาง)

RO: Cum verific dacă a fost făcută vreo conexiune de la serverul meu Ubuntu la o anumită adresă IP? (Am adresa IP de destinație)

RU: Как проверить, было ли установлено какое-либо соединение с моего сервера ubuntu на определенный IP-адрес? (у меня есть IP-адрес назначения)

VI: Làm cách nào để kiểm tra xem có bất kỳ kết nối nào được tạo từ máy chủ Ubuntu của tôi đến một địa chỉ IP cụ thể không? (Tôi có địa chỉ IP đích)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.