A question can only have one accepted answer. Are you sure you want to replace the current answer with this one?
You previously marked this answer as accepted. Are you sure you want to unaccept it?
lsof -i and ps -ef
Both of those are legitimate commands? 'lsof -i' list open files associated with your internet, and 'ps -ef' displays a full listing of all processes running on your server.
@gndo That's a link to an album i posted which shows the result of lsof -i and ps -ef.
I followed this: https://www.digitalocean.com/community/questions/my-droplet-has-been-compromised-and-is-sending-an-outgoing-flood-or-ddos-what-do-i-do
but I can't figure out which one is the problematic process. I'm new to running servers (I've only had this droplet for a day) so any help is appreciated.
@ra - those output listings look legitimate, except I don't recognize the 'acdnfhruv' command. Rather than visually guessing at which of those could be compromised it may be better to use the automated tools prescribed in that tutorial, IMHO. Good luck.
Install iftop, run iftop -NPn
See port of high bandwidth connections.
Run netstat -tulpn | grep :<port number>
This should return the PID
netstat -tulpn | grep :<port number>
Add comments here to get more clarity or context around a question. To answer a question, use the “Answer” field below.