I built a test environment in my MicroSever Gen8, while these days I found some strange things that one server would upload lots of data to some sites and consumed all of my upload bandwidth.
I tried to find what program caused this issue, while it was hard for me. I found some programs were executed frequently, while they changed very fast, and all of them were called by the process with pid 1, which meant they were called by init or by some service in the background.
I checked the service scripts, and did find one strange one. I searched the name with Google while no any information about it, so I deleted it. Oh, I got another one! I had to take great care of it now. I found it called something in the /etc/cron.hourly, which was a script. And when I run rpm -qaV, I found /etc/crontab was modified, then I found one job was created and also called the same job as in the cron.hourly.
So I did be attacked by someone!
I tried to remove all of them while failed, and finally I had to use the installation disc to enter the rescue mode to fix this issue.
OK, I got a good lesson learnt: Never use simple password, even this is a test environment.