I think my server has become part of a botnet, but ClamAV can’t find anything

I know virtually nothing about Ubuntu so please be gentle. Recently my server host has contacted me saying they suspect my server is part of a botnet, specifically one that probes TCP ports. They’ve sent me logs, and it seems I’ve got a virus. I’ve run a full scan using ClamAV and it couldn’t find anything. I’m at a loss as to what to do. When I run the top command, a process with the command cron is using up almost all of the CPU (~99%) so I’m assuming this has something to do with it. All help is appreciated, thanks!

Question on a decentralized botnet, is this technically how communications would flow? (Flowchart)

I am trying to get into and researching botnets, to help myself learn and others prevent attacks. First thing is understanding how decentralized botnet’s work.

I asked a question yesterday explaining some things, then I made this flow chart to better visual if this is how a decentralized botnet would communicate. Please, any corrections are encouraged.

enter image description here

Gmail (Dot) Phishing Attack From Avalanche Botnet

I’m a full-stack web developer working in a small startup and have been wearing many hats as a result. I am by no means a cyber or information security expert. I’m looking for a general evaluation of severity and potential steps I can take as we seem to have been probed by a phishing botnet which is more advanced than what I am used to.

My application is a small MVP, LAMP stack and deployed on AWS a few weeks ago. It hasn’t been promoted or publicized in any way. Nevertheless, I seemed to be getting scraped by various bots, and this wasn’t a concern for me because in my experience this is a common occurrence once you network your deployment on a popular service like AWS.

Then, I noticed something more unusual in my experience, which is some spammy logins and account creation. Still, nothing too concerning because at the application level we have appropriate roles for new users and I was pretty confident this was just going to be an annoyance.

Finally, I started noticing similar emails popup in the list I identified as spam. Pretty soon I noticed a pattern – they were all @gmail and all the same accounts – except they had “.” (periods) in randomly different places. Now I know this means, according to Gmail, that it goes to the same email address.

But then I got concerned that it was going to be a phishing attack because someone could take my email and append a dot in the middle and send emails my way from their account. I thought also if they established an XSS attack they could use this to direct me more easily to the page, and I’m sure there are other things they could do.

A couple notes about these accounts: they weren’t the kinds of bots (if it was a bot) I am used to. The different variations of the same address were small in volume, only three and spread out over several days. When I traced the IP it came back as being on a blacklist associated with the Avalanche botnet. At this point I was a bit intimidated but I couldn’t find any information specifically on Avalanche and this gmail quirk. I also read that Avalanche had largely been taken down by the authorities, so was a bit concerned about this as well.

To pin down my question:

1). Given the nature of the account creation – was it a human being doing this or likely a bot? Was I targeted specifically or is this bot just hitting all AWS IPs, for example? Is the avalanche bot advanced to space out the account creation so it doesn’t look like the more obvious bots and spam attacks?

2). I feel like another shoe has to drop here – obviously I can quickly create some application logic to get rid of treating gmails and other emails with dots as separate accounts – but that in of itself seems like their setup, not their final play. Should I be worried about other exploits on my system? I have setup proper security groups, SSH keys, SSL and have separate servers for my different services.

3). How worried should I be? Is this just part of life on the internet? I just have never seen this bot before and am worried this is only part 1 of a targeted attack – again we have only about 20 users in the database – most of whom are internal company accounts. So I’m worried that we are already dealing with this kind of attack at our small scale.

4). What can I do to mitigate this kind of phishing attack beyond sanitizing the dots things? Are there some canonical resources for these kinds of exploits? I didn’t think about the dots until after I noticed the similarities in the three emails.

EDIT: I should mention I am still going through the logs and trying to find what else this IP/user/bot was doing besides creating these accounts… but my guess is I won’t find much and it is a lot to go through because of how my AWS is spacing out the logs and the fact that we were testing a load balancer for a while.

Thank you so much 🙂

How does the server-client scheme work in a botnet?

I am having trouble wrapping my head around the idea on how a server-client botnet structure actually works.

Let’s say that the server is A, and the client is B.

  • We know A is listening always on port 1000, and A is the infected machine.
  • We know B is the attacker on his end and can connect to A at anytime since there is an open port and server running on the infected machine.

My question is how does B (the attacker) even know when A (the infected) is online, if B (the attacker) does not have a server running listening for connections incoming from infected machines?

For example if the attacker is spreading his install file for his botnet, how would they even know when computers are infected with their server indeed running if he does not have something listening for established connections?

Thanks in advance.

Confirming Chromebooks in Possible Botnet Attack

I’ve been seeing Chromebooks at 5 different schools exhibiting the same behavior, spoofing their own IP address as 100.115.92.1 and sending packets to OpenDNS or AWS addresses. I’m guessing this is part of a DNS reflection attack.

This is even occurring when schools have locked down the Chromebooks well, disallowing extensions, developer mode, and personal (non-organization) logins.

The Chromebooks are on their own SSIDs and VLANs where the packets are originating, so I don’t think the MAC addresses are being spoofed. The 5 schools are mostly unrelated as organizations, but their networks and technology are entirely separate.

So far, the firewall seems to be catching the spoofed packets and dropping them, but I’m hoping to find a way to find the cause and eliminate it.

Google support has run out of ideas, so if anyone has any insight into how I might locate what seems to be some Chrome OS malware, or is seeing this issue as well, I’d love to hear from you.