Articles on: Linux server

Your server has been compromised

Reminder: You are the sole administrator of your VPS, and are therefore responsible for the actions performed on it. If your VPS is used by a third party without your knowledge (hack, password leak, etc.) you may be held responsible for the actions performed by them. If you suspect that access to your VPS has been compromised, it is imperative that you take appropriate measures to block this access.

Several elements can lead to the consideration that access to your server has been compromised. These may include :

Unauthorized access discovery following log analysis
Abnormal behaviors on your VPS (high CPU usage, large outgoing network flow, abuses, outgoing spam, etc)
A report from our technical support
Something you don't recognize on your VPS

Whenever one of these elements suggests that your access has been compromised, it is necessary to act very quickly in order to restore the situation. The actions generated by these compromised accesses can indeed be illegal (sending mass SPAM, use as VPN, phishing hosting, DDoS attacks, etc), or make your server unusable (use of very high CPU, preventing your VPS from functioning normally.

It is unfortunately very complex, if not impossible, to completely clean a server, and to ensure that no backdoor is still present, allowing the attacker to return to the server. It is therefore highly recommended to completely reinstall your VPS if you discover that it has been compromised.

If you don't have the possibility to reinstall the server immediately, we recommend the following actions:

1/ Check current processes



You can very easily list the current processes with the following command:

root@Helpdesk:~# ps aux


You will then get a list of all processes active on the VPS. If some of them seem abnormal to you, you can easily check the path of the concerned file to take the necessary actions.

You can also install the htop package, to see some information about your VPS, and list them in order of CPU consumption.

root@Helpdesk:~# apt-get install htoproot@Helpdesk:~# htop


You can exit HTOP by pressing F10 or Ctrl+C

2/ Run an antivirus scan on the VPS



The "clamav" package allows you to easily scan your VPS files for known malware or backdoor. It can be used in a very simple way:

root@Helpdesk:~# apt-get install clamavroot@Helpdesk:~# freshclamroot@Helpdesk:~# clamscan -r --bell -i /


This will launch a scan of all the files in the VPS, and will list the files considered dangerous. Note that this scan may take several minutes (or hours) depending on the amount of data in your VPS, and your offer.

3/ Make your VPS more secure



We invite you to quickly follow our guide **Increase server security**, in order to avoid new illicit accesses to your VPS.

Updated on: 22/05/2023

Was this article helpful?

Share your feedback

Cancel

Thank you!