Retry in progress
You have 1 previous attempt for this scenario. Submitting again will create a new attempt and show a comparison against your most recent response.
Suspicious OutboundDifficulty · hardCritical asset
NDR flagged sustained outbound traffic from WEB-PROD-02 (10.12.44.18) to 45.61.152.77 (AS209588, hosting provider, non-business country).
Volume: 4.8 GB total between 02:00 and 04:00 UTC.
Protocol: TLS over TCP/443 (SNI: cdn-static-img[.]info — certificate self-signed, CN=localhost).
Host metrics: CPU 94% peak during the window, unusual for this host (baseline ~25%).
WEB-PROD-02 serves the customer portal (prod.acme-corp.com) and reads from DB-PROD-01 which stores customer PII. No scheduled backup, patch, or deployment job matches this window.
Please triage and respond.
— NDR / NetSec
Evidence
Flow summary + process snapshot
# NetFlow summary (WEB-PROD-02 → 45.61.152.77)
02:01:44 start bytes_out=12KB
02:01:46 ... bytes_out growing at ~670 KB/s
03:59:22 end total bytes_out=4.81 GB bytes_in=3.2 MB
# Process snapshot captured 04:05 UTC by EDR
PID USER %CPU CMD
811 www 94.0 /tmp/.cache/sysmond -c /tmp/.cache/.conf
812 www 2.1 nginx: worker process
190 root 0.8 /usr/sbin/sshd
/tmp/.cache/sysmond — not signed, SHA256 8f1a...c4e2 — VirusTotal: 44/72 (linux.backdoor.*).
Persistence: cron entry "*/5 * * * * /tmp/.cache/sysmond" under www user.
# DNS
cdn-static-img[.]info -> 45.61.152.77 (registered 11 days ago, privacy-protected registrar)
Affected asset
- Name
- WEB-PROD-02 (10.12.44.18)
- Type
- Production Linux web server (customer portal front-end)
- Owner
- Platform Team · SRE
- Level
- Critical