I got an abuse report for AWS and they shut down one of my personal servers. I can SSH in, but no other connectivity is working right now until I can prove to them I addressed it. Full transparency, I'm minimally competent in linux.
AWS says my server is trying to sshinto other systems, so maybe I got some kind of botnet on it. Here's a sample they sent:
Lines containing failures of <IP> (max 1000)
Dec 19 18:25:07 viking sshd[2404152]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP> user=root
Dec 19 18:25:09 viking sshd[2404152]: Failed password for root from <IP> port 54806 ssh2
Dec 19 18:25:11 viking sshd[2404152]: Received disconnect from <IP> port 54806:11: Bye Bye [preauth]
Dec 19 18:25:11 viking sshd[2404152]: Disconnected from authenticating user root <IP> port 54806 [preauth]
Dec 19 18:30:56 viking sshd[2406221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP> user=root
Dec 19 18:30:59 viking sshd[2406221]: Failed password for root from <IP> port 47524 ssh2
Dec 19 18:31:01 viking sshd[2406221]: Received disconnect from <IP> port 47524:11: Bye Bye [preauth]
Dec 19 18:31:01 viking sshd[2406221]: Disconnected from authenticating user root <IP> port 47524 [preauth]
I ran sudo netstat -antp. The only two programs I couldn't immediately identify are 1699/./bin/tor and 1826/./kswapd0. I am not running tor, so that's concerning. Googling kswapd0 says it's a memory manager, so I guess thats fine? There are a lot of ports it has the status SYN_SENT on.
Any pointers on what to look for or other things to try would be greatly appreciated.
